OmniPeek UserGuide

Copyright 2012, WildPackets, Inc. All rights reserved. Information in this document is subject to change without notice.
. No part of this document may be reproduced or transmitted in any form, or by any means, electronic or mechanical, including photocopying, for any purpose, without the express written permission of WildPackets, Inc. AiroPeek SE, AiroPeek NX, AiroPeek VX, Compass Live, EtherPeek SE, EtherPeek NX, EtherPeek VX, Gigabit Analyzer Card, GigaPeek NX, iNetTools, NAX, NetDoppler, NetSense, Network Calculator, Omni, Omni Capture Engine, Omni Desktop Engine, Omni DNX Engine, OmniAdapter, OmniAdapter 10G, OmniEngine Desktop, OmniEngine Enterprise, OmniEngine Manager, OmniEngine Workgroup, Omni Management Console, Omni PacketGrabber, Omni Virtual Network Service, OmniPeek, OmniPeek Basic, OmniPeek Connect, OmniPeek Enterprise, OmniPeek Enterprise Connect, OmniPeek Personal, OmniPeek Professional, OmniPeek Workgroup, OmniPeek Workgroup Pro, OmniPeek Personal, Omnipliance, Omnipliance Core, Omnipliance Edge, Omnipliance Portable, Omnipliance SuperCore, OmniSpectrum, OmniVirtual, OmniWatch, PacketGrabber, Peek DNX, ProConvert, ProtoSpecs, RFGrabber, RMONGrabber, TimeLine, TimeLine Network Recorder, WAN Analyzer Card, WANPeek NX, WatchPoint, WildPackets, WildPackets Academy, WildPackets Compass, and WildPackets OmniAnalysis Platform are trademarks of WildPackets, Inc. All other trademarks are the property of their respective holders. WildPackets, Inc. reserves the right to make changes in the product design without reservation and without notification to its users.
Contacting WildPackets
Mailing Address WildPackets, Inc. 1340 Treat Blvd., Suite 500 Walnut Creek, CA 94597 Voice/Fax 8 AM - 5 PM (PST) (925) 937-3200 (800) 466-2447 (US only) Fax: (925) 937-3211 Sales sales@wildpackets.com Web http://www.wildpackets.com Technical Support http://www.wildpackets.com/support Resources See http://www.wildpackets.com/support/resources for white papers, tutorials, technical briefs and more.
ii
Professional Services
WildPackets offers a full spectrum of professional services, available onsite or remote, to help customers make the most of their network infrastructure investment. The WildPackets Professional Services team stands ready to partner with you to maximize your network performance and to minimize your network downtime. WildPackets technical instructors, network systems engineers, and custom software developers can help you design, build, manage, and secure a better network for your business. See http://www.wildpackets.com/services for course catalog, current public course scheduling, web-delivered courses, OnDemand courses, and consulting services. WildPackets Academy (800) 466-2447 training@wildpackets.com
Product Support and Maintenance

WildPackets Maintenance Programs ensure that you grow along with our products as new features and enhancements are added and that your usage is fully supported by our Technical Support staff. Enhanced support services are available with remote or onsite consulting. Developer support is also available for customers adding custom enhancements to WildPackets products. All Maintenance inquiries and purchases can be accommodated by contacting sales@wildpackets.com.
Developer Community
To join the WildPackets Developer Network and gain access to product plug-ins, plug-in wizards, and API documentation, please visit http://mypeek.wildpackets.com.
About WildPackets, Inc.

WildPackets delivers software and hardware solutions that drive network performance, enabling organizations of all sizes to actively monitor, analyze, troubleshoot, optimize, and secure their wired and wireless networks. WildPackets products are sold in over 60 countries and deployed in all industrial sectors, including 80 percent of the Fortune 1000. WildPackets is a Cisco Technical Development Partner. For further information, please visit www.wildpackets.com.
20121003-UG-OP70a
iii
Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About OmniPeek. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 OmniPeek as a portable analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 OmniPeek with distributed OmniEngines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 OmniPeek product family. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Network forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Voice and video over IP analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Compass dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Multi-segment analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Supported adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Full-Duplex Gigabit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Full-Duplex 10 Gigabit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Wireless. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Installing OmniPeek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Installing an OmniEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Main program window and Start Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Commonly used terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 2
Using OmniEngines with OmniPeek . . . . . . . . . . . . . . . . . . . . . 11

About OmniEngines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying the OmniEngines window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecting to an OmniEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organizing OmniEngines by groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Discovering OmniEngines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The OmniEngines window tabs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OmniEngine tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring and updating OmniEngine settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring an OmniEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Updating software and settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 13 14 16 18 20 21 24 24 26
Chapter 3
The Capture Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

About capture windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Creating an OmniPeek capture window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Contents
Creating an OmniEngine capture window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring capture options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring general options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring adapter options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Navigating a capture window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Capture window views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Opening saved capture files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OmniPeek capture files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OmniEngine capture files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Splitting saved capture files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Combining files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using capture templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OmniPeek capture templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OmniEngine capture templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multiple capture windows from a single template . . . . . . . . . . . . . . . . . . . . . . . Forensics capture on an OmniEngine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring capture on an OmniEngine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31 34 35 40 46 47 50 50 51 52 52 52 53 53 54 55 56
Chapter 4
Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
About dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Timeline dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Voice & Video dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Apdex dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Calculating the Apdex score . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Compass dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network utilization graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Top protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Top flows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Top nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing a real-time capture Compass dashboard . . . . . . . . . . . . . . . . . . . . . . . Viewing a single file Compass dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing a multiple file Compass dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . Compass viewing tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Save Compass dashboard as a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the Compass dashboard in monitor mode . . . . . . . . . . . . . . . . . . . . . . . 60 60 63 64 66 68 70 71 76 79 81 84 85 85 88 89 91
Chapter 5
Viewing and Decoding Packets . . . . . . . . . . . . . . . . . . . . . . . . . 93

About packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Capturing packets into a capture window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 OmniEngines Captures tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
vi
OmniPeek User Guide
Viewing captured packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Navigating the Packets view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Customizing packet views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Adding notes to packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Applying decryption in the Packets view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Applying SSL decryption to packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Saving captured packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Save file formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Deleting all packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Printing packet lists and packet decode windows . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Decoding packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Window header. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Decode view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Hex and ASCII views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Showing data offsets and mask information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Choosing a decoder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Line decoders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Writing your own decoders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Applying decryption from the packet decode window . . . . . . . . . . . . . . . . . . . . . . 116 Decode reassembled PDU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Using thread intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Manually selecting further decode options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Chapter 6
Creating and Using Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

About filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Viewing filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 OmniPeek filters window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 OmniEngine filters tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Display filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Enabling a filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Enabling filters from the Capture Options dialog . . . . . . . . . . . . . . . . . . . . . . 124 Enabling filters from the capture window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Creating filters with the Make Filter command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Creating a simple filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Creating an advanced filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Logical AND, OR, and NOT operators in advanced filters. . . . . . . . . . . . . . . 130 Creating a new capture window based on a filter . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Filter types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Creating filters with the filter bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Using the filter bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Filter bar syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Editing filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 vii
Contents
Duplicating filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Saving and loading filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Chapter 7
Post-capture Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

About post-capture analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Network forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Saving packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Copying selected packets to a new window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Hiding and unhiding packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Using hide and unhide on an OmniEngine. . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Selecting related packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Finding strings in packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Selecting packets matching user-defined criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Performing a forensic search on an OmniEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Forensic search from the Files tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Forensic search from the Forensics tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Forensic search from the Forensics Capture window . . . . . . . . . . . . . . . . . . 168
Chapter 8
Expert Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

About expert analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Expert views and tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Expert events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Expert Clients/Servers view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Expert Flows view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Expert Application view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Expert lower pane tabs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Configuring expert views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Configuring column display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Expert view options dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Setting client/server colors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Setting units for time and throughput . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Expert view packet selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Expert save functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Expert EventFinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Expert memory usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Visual Expert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 PacketVisualizer tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Payload tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Graphs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 What If tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Compare tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
viii
OmniPeek User Guide
Summary tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Network policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Vendor ID policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Channel policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 ESSID policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 WLAN encryption policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 WLAN authentication policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Chapter 9
Multi-Segment Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

About Multi-Segment Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 MSA project window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Flow list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Flow map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Ladder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Creating an MSA project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Using the MSA wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Create a new multi-segment analysis project . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Time range & filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Capture sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Progress. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Segments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Edit segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Project file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 MSA project analysis options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Creating a mapping profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Chapter 10
Web Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

About web analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Web view window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Timing column . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Packet counts in web views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Web upper pane views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Servers view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Clients view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Pages view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Requests view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Web lower pane tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Details tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Headers tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Contents tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
ix
Contents
Timing tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Configuring web views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Web view columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Web packet selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Web save functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Chapter 11
Voice & Video Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

About Voice & Video analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Voice & Video view window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Voice & Video upper pane views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Calls view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Media view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Voice & Video lower pane tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Voice & Video Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Voice & Video Event Summary tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Voice & Video Event Log tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Calls and Media options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Voice & Video Visual Expert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Saving voice and video statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Playing calls or media as audio. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Saving calls or media as audio WAV files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Selecting voice and video related packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Making a voice or video filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Configuring options in Voice & Video views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Voice & Video view columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Setting VoIP options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Summary voice and video statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Chapter 12
Displaying and Reporting Statistics . . . . . . . . . . . . . . . . . . . . 275

About statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Monitoring network statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Configuring monitor options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Viewing capture window statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Configuring statistics displays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 View options for statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Controlling color in statistics lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Saving statistics output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Saving statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Generating statistics reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Printing statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Node statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
OmniPeek User Guide
Hierarchy view of nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Flat views of nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Viewing details for a network node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Protocol statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Hierarchy view of protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Flat view of protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 ProtoSpecs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Viewing details for a protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Network statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Size statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Summary statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Creating snapshots of summary statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 History statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Channel statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 WLAN statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Hierarchy of wireless nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Signal statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Generating statistics output reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Statistics output reports from monitor statistics. . . . . . . . . . . . . . . . . . . . . . . . 302 Statistics output reports from capture window statistics. . . . . . . . . . . . . . . . . 303 New file set schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Viewing statistics output reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Chapter 13
Using the Peer Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

About the Peer Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 The Peer Map view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Nodes and traffic in the Peer Map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Parts of the Peer Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Configuration tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Node Visibilities tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Profiles tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Peer Map options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Displaying relevant nodes and traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Displaying node tooltips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Chapter 14
Creating Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

About graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 OmniPeek monitor statistics graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 OmniPeek capture statistics graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 OmniPeek capture window graphs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 OmniEngine statistics graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
xi
Contents
OmniEngine graphs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 OmniEngine graphs capture options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 OmniEngine capture window graphs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 OmniEngine graph templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Creating a new OmniEngine graph template . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Editing an OmniEngine graph template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Configuring and saving graphs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Graph display options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Saving OmniPeek graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Saving OmniEngine graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Chapter 15
Setting Alarms and Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

About alarms and triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Viewing alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Predefined alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 OmniPeek alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 OmniEngine alarm windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Creating and editing alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Creating and editing OmniEngine alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 Setting triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Setting start and stop triggers on an OmniEngine . . . . . . . . . . . . . . . . . . . . . . 352
Chapter 16
Sending Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

About notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Configuring notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Creating a notification action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Sources of OmniEngine notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Chapter 17
Using the Name Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

About the name table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Adding entries to the name table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 The name table window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Adding and editing name table entries manually. . . . . . . . . . . . . . . . . . . . . . . 366 Adding names from other windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Trusted, known, and unknown nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 OmniPeek name resolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Configuring name resolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Loading and saving name table data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Loading a previously saved name table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Saving the name table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Using the OmniEngine trust table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
xii
OmniPeek User Guide
OmniEngine trust table tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 OmniEngine name resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Chapter 18
Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

About logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OmniPeek global log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OmniEngine global log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OmniPeek capture logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OmniEngine capture logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 376 377 379 381
Chapter 19
Applying Analysis Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

About analysis modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Enabling and configuring analysis modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Apply analysis module command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 Using analysis modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Installed analysis modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 OmniEngine analysis modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Chapter 20
Using AutoCapture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

About AutoCapture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Creating and editing AutoCapture files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 AutoCapture adapter search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 AutoCapture templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 AutoCapture send options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Using an AutoCapture file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 Using AutoCapture files as scheduled tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Chapter 21
Sending Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

About sending packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting the send adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sending the send packet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Editing the send packet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 402 403 405
Chapter 22
Configuring Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Configuring the Options dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring display format options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring color options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Customizing the tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Optimizing capture performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 409 410 411 411
xiii
Contents
Chapter 23
Capturing Data for Wireless Analysis . . . . . . . . . . . . . . . . . . . 413

About 802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Configuring wireless channels and encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Edit scanning options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Edit key sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Troubleshooting WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Portable analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Distributed analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Optimizing wireless analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Roaming latency analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 by Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 by AP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Chapter 24
Configuring Analyzer Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

About analyzer cards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Configuring hardware profiles for OmniAdapters . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Configuring hardware profiles for OmniAdapters on an OmniEngine. . . . 429
Chapter 25
OmniPeek Remote Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . 433

About OmniPeek Remote Assistant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Generating an ORA management file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Generating encrypted capture files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Opening an encrypted capture file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Importing an ORA management file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exporting ORA management file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 435 436 438 438 438
Chapter 26
Global Positioning System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

About GPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling GPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting the WildPackets GPS daemon from the system tray . . . . . . . . . . . . . . . . . GPS columns in the Packets view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 440 441 442
Chapter 27
Using Matrix Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

About matrix switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Creating a new switch configuration profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Creating a profile for Datacom switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Creating a profile for Net Optics switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448 Configuring a matrix switch in OmniPeek. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Appendix A
xiv
Menus and Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . 453
OmniPeek User Guide
File menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Capture menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Send menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitor menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Window menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
454 455 457 460 460 461 461 462 463
Appendix B
Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Packet list columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Expert view columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Expert clients/servers, flows, and application view columns . . . . . . . . . . . . . 470 Expert event log columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Expert node details tab rows and columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Visual Expert PacketVisualizer tab columns . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Visual Expert TCP Trace graph flags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Web view columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Voice & Video view columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Voice & Video Visual Expert columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Nodes statistics columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 WLAN statistics columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Channel statistics columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 OmniEngine capture tab columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 OmniEngine files tab columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 OmniEngine details tab columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Starting OmniPeek from the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Appendix C Appendix D
OmniPeek Installed Components . . . . . . . . . . . . . . . . . . 495

Component descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Analysis Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Analysis Module Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 802.11 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 AppleTalk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Aggregator Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Aruba Remote Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Checksums Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Cisco Remote Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Compass Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Duplicate Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 xv
Contents
Email Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 FTP Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 ICMP Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 IP Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Modbus Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 MPLS/VLAN Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 NCP Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 NetWare Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 Newsgroup Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 PPP Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 RADIUS Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 RFGrabber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 SCTP Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 SMB Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 SQL Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 SUM Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Telnet Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 VoIP Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 WAN Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 Web Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Appendix E
Expert Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

About Expert events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client/Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Transport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Link. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 516 518 518 523 523 524 527 527 529 530 531
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
xvi
CHAPTER 1 Introduction
In this chapter:
About OmniPeek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Supported adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Installing OmniPeek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Installing an OmniEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Main program window and Start Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Commonly used terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 1: Introduction
About OmniPeek
Welcome to OmniPeek, the network software analyzer from WildPackets! OmniPeek functions both as a portable network analyzer as well as a software console for distributed OmniEngines installed at strategic locations across the network.
OmniPeek as a portable analyzer

As a portable analyzer, OmniPeek offers an intuitive, easy-to-use graphical interface that engineers can use to rapidly analyze and troubleshoot enterprise networks. OmniPeek supports local captures from multiple interfaces and data collection from any network topology, including 10 Gigabit and Gigabit networks, wireless networks, and local matrix switches.
OmniPeek with distributed OmniEngines

As a software console for OmniEngines, OmniPeek can also manage and interact with an unlimited number of OmniEngines performing independent capture and analysis at any location across the network. OmniPeek allows network engineers to troubleshoot problems and perform statistical analysis on remote segments from a single location, as shown in the diagram below.
A single OmniEngine can also link to multiple installations of OmniPeek, allowing simultaneous connection and collaboration, as shown in the following diagram. 2 About OmniPeek
OmniPeek User Guide
In addition, because OmniEngines put the processing power at the point of capture, multiple connections and diverse configurations can be used without creating a strain on network bandwidth. The separately purchased OmniEngines have no user interface of their own, and rely on OmniPeek to provide a user interface through the OmniEngines window. For more information, see Chapter 2, Using OmniEngines with OmniPeek. See also the OmniEngine Getting Started Guide that ships with the product or the online help in the OmniEngine Manager application.
OmniPeek product family

The OmniPeek product family includes OmniPeek analyzers, distributed OmniEngines, OmniPeek Remote Assistant, TimeLine and Omnipliance network recorders, and OmniAdapters for distributed packet capture. OmniPeek can be purchased in Enterprise, Professional, Basic, or Connect versions; and OmniEngine in Enterprise, Desktop, or OmniVirtual versions, offering a variety of licensing and feature options. Please visit our Web site at http://www.wildpackets.com for details about how to select the OmniPeek configurations and media types that precisely fit the needs of your network. Important! This User Guide describes OmniPeek and OmniEngines in their full-featured versions.
OmniPeek product family
Network forensics
Network forensics is the retrospective analysis of network traffic for the purpose of conducting an investigation. You can use OmniPeek to capture, store, and data mine large volumes of traffic data in order to investigate items such as network problems, security attacks, HR policy violations, and more. See the following chapters and sections for more information on how to use OmniPeek in different ways to perform forensics on your own network.
Forensics capture on an OmniEngine on page 55 Performing a forensic search on an OmniEngine on page 153 Compass dashboard on page 70 Chapter 7, Post-capture Analysis Chapter 10, Web Analysis
Voice and video over IP analysis

If you have purchased OmniPeek Enterprise, voice and video over IP is available for call signaling and media analysis in the Voice & Video views of capture windows, providing simultaneous analysis of voice and video data traffic with subjective and objective quality metrics. For information, see Chapter 11, Voice & Video Analysis.
Compass dashboard
The OmniPeek Compass dashboard provides an interactive forensics view of key network statistics, which can be graphed, dynamically interacted with, and reported on. With its unique ability to aggregate traffic from multiple segments, the Compass dashboard provides network engineers with more visibility and insight into their networks. The Compass dashboard offers both real-time and post-capture monitoring of high-level network statistics with drill down capability into packets for the selected time range. Using the Compass dashboard, multiple files can be aggregated and analyzed simultaneously. For information, see Compass dashboard on page 70.
Multi-segment analysis
Multi-Segment Analysis (MSA) provides visibility and analysis of application flows across multiple network segments, including network delay, packet loss, and retransmissions. It can quickly pinpoint problems and their root causes across multiple segments, bring problematic flows together, and create an analysis session, report anomalies, and provide graphical visualization of multiple segments across the network. For information, see Chapter 9, MultiSegment Analysis. 4 About OmniPeek
OmniPeek User Guide
System requirements
The system requirements for OmniPeek are:
Windows 7, Windows Server 2008, Windows Server 2003, Windows XP Professional Internet Explorer 8.0 Adobe Flash Player 11 or later Microsoft .NET Framework 4.0
OmniPeek supports most rack mount, desktop and portable computers as long as the basic system requirements to run the supported operating systems are met. Depending on traffic and the particular usage of OmniPeek, the requirements may be substantially higher. The following system is recommended for OmniPeek:
Intel Core i3 or higher Processor 4 GB RAM (OmniPeek Enterprise and Connect) / 2 GB RAM (OmniPeek Professional and Basic) 40 GB Available Hard Disk Space (OmniPeek Enterprise and Connect) / 20 GB Available Hard Disk Space (OmniPeek Professional and Basic)
Factors that contribute towards superior performance include high speed CPU, dual CPUs, two or more GB of RAM, high performance disk storage subsystem (RAID 0), and as much additional hard disk space as is required to save the trace files that you plan to manage. Supported operating systems require users to have Administrator level privileges in order to load and unload device drivers, or to select a network adapter for the programs use in capturing packets. For more information, please see our Web site at http://www.wildpackets.com/products.
Supported adapters
OmniPeek requires a supported network adapter installed on your network in order to capture or monitor packets. OmniPeek supports a wide variety of Ethernet, Gigabit, 10 Gigabit, and wireless network adapters. WildPackets has developed a set of driver APIs which can be used to write drivers that extend adapter capabilities. Drivers that use these APIs have been developed for some of the leading WLAN, Ethernet, and Gigabit analyzer cards. OmniPeek and the OmniEngines ship with a number of drivers that support the WildPackets APIs. These drivers must be installed separately on the machine in which the card is installed. For more information, see the
System requirements
Readme file located in the Drivers folder in the program directory or visit http:// www.wildpackets.com/support/omni/overview.
Ethernet
OmniPeek supports NDIS 3 or higher compatible Ethernet, Fast Ethernet, or Gigabit promiscuous mode network adapters from 3Com, Intel, Xircom, SMC, and many others. WildPackets has developed a set of driver APIs which can be used to write drivers that extend adapter capabilities for Ethernet cards that use particular chipsets. For more information, see the Readme file located in the Drivers folder in the program directory or visit http:// www.wildpackets.com/support/omni/overview.
Full-Duplex Gigabit
OmniPeek supports the WildPackets family of Gigabit analyzer cards (OmniAdapters), which use state-of-the-art hardware and FPGA technology to provide the high-performance analysis of Gigabit networks. Capturing packets at full line rate, the OmniAdapters merge both streams of the full-duplex traffic using synchronized timestamps. OmniAdapters also include features for creating filters, or hardware profiles, and packet-slicing. For more information, see Configuring hardware profiles for OmniAdapters on page 426. The OmniAdapters can be attached via taps, matrix switches, or at a switch span port. Taps and matrix switches provide completely passive monitoring that does not affect the network, even in power loss conditions. For installation instructions and technical information, refer to the documentation that ships with the product or visit our Web site at http:// www.wildpackets.com/products/network_recorders/omniadapter_analysis_cards. WildPackets has developed a set of driver APIs which can be used to write drivers that extend adapter capabilities of the Gigabit analyzer cards. For more information, see the Readme file located in the Drivers folder in the program directory or visit http://www.wildpackets.com/ support/omni/overview.
Full-Duplex 10 Gigabit
WildPackets offers 10GbE adapter cards (OmniAdapter 10G) to capture and analyze highspeed, full-duplex 10 Gigabit networks. WildPackets OmniAdapter 10G is a high performance, full-duplex 10 Gigabit network analyzer card with 2x10 Gbit/s optical interfaces that have been optimized for monitoring and troubleshooting traffic on 10 Gigabit Ethernet networks. OmniAdapter 10G provides hardware accelerated packet tracing and dynamically configurable filtering together with high precision timestamping.
6 Supported adapters
OmniPeek User Guide
For more information, please visit the http://www.wildpackets.com/products/analysis_cards/ 10GbE.
Wireless
For wireless packet capture, OmniPeek requires the installation of a special NDIS driver to capture wireless management, control, and data packets. This driver also provides complete support for network services when the application is not being used. WildPackets has tested Atheros, Marvell, and Ralink chipsets for wireless capture. For more information and to download other compatible wireless drivers, please visit http:// www.wildpackets.com/support/downloads/drivers. The WildPackets Wireless Driver supports advanced functionalities such as WPA/WPA2 decryption, noise measurement and hardware time-stamping in all OmniPeek. For driver installation instructions, please refer to the Readme file included with the driver. To configure wireless channel settings and 802.11 security settings for your WLAN adapter, see Configuring wireless channels and encryption on page 414. Important! Some cards supported by OmniPeek may not be usable for network services. 802.11 WLAN cards cannot be used for network services while they are in RF Monitor mode. The WildPackets OmniAdapter and OmniAdapter 10G are optimized for capture and do not send packets. They cannot be used for network services.
Installing OmniPeek
To install OmniPeek, follow these steps: 1. Uninstall any earlier versions of OmniPeek. The recommended way to uninstall is to run the installer and choose to remove the previous version. 2. Insert the OmniPeek Installer CD into your CD or DVD drive. 3. Follow the installation instructions that appear on the screen. During installation you are asked to enter a valid activation key. When prompted, you can select from the following:
Automatic: The installer uses your Internet connection to send an encrypted message to an activation server, which retrieves and displays your Activation Key. Please write down the Activation Key for future reference.
Wireless
Manual: The installer allows you to enter the Activation Key manually. You can obtain an Activation Key in the following ways: Go to a computer with an Internet connection and web browser and complete the request form, or call WildPackets Technical Support.
For more information about the product activation process, please see our Web site at: http://www.wildpackets.com/activation. 4. When the Installer has finished installing the program files, you can choose to view the Readme or launch the program. For a description of installed components, see Appendix C, OmniPeek Installed Components. Note The OmniEngine Manager is installed by default with OmniPeek. This application lets you configure and update settings for separately purchased OmniEngines. Please see Configuring and updating OmniEngine settings on page 24.
Installing an OmniEngine
For complete instructions on how to install, configure, and update software and settings for OmniEngines, see the Getting Started Guide that ships with the OmniEngine. Note Some users want to install both an OmniPeek console and an OmniEngine on the same machine. The only console that was designed to work simultaneously with an OmniEngine is the OmniPeek Connect console.
Main program window and Start Page

To start OmniPeek:
Choose Start > All Programs > WildPackets OmniPeek.
The main program window and Start Page appears. The parts of the main program window are described below.
8 Installing an OmniEngine
OmniPeek User Guide
Toolbar
Start Page
Status Bar
Toolbar: Provides buttons for frequently-used tasks in OmniPeek. Choose View > Toolbars to display different toolbars or to customize toolbar options. Start Page: Provides buttons for creating a new capture, opening saved capture files, viewing the OmniEngines window, and starting the monitoring of the network. Additionally, the Start Page provides links to useful resources, both local and online. Status Bar: Shows brief context-sensitive messages on the left and the current monitor adapter on the right. Choose View > Status Bar to toggle the display of the status bar.
Main program window and Start Page
Commonly used terms

The following table contains descriptions of frequently used terms.
Term Capture window Description Packets are captured into configurable capture windows, each with its own selected adapter, its own dedicated capture buffer and its own settings for filters, triggers, and statistics output. See Chapter 5, Viewing and Decoding Packets. Capture windows can be saved as capture files (also called Trace files). See Opening saved capture files on page 50. The user interface that OmniPeek provides for the OmniEngines. See Chapter 2, Using OmniEngines with OmniPeek. A template on an OmniEngine optimized for captures used for forensic analysis. See Forensics capture on an OmniEngine on page 55. A template on an OmniEngine optimized for captures used for Expert and statistical analysis. See Monitoring capture on an OmniEngine on page 56. Statistics based on the network as a whole rather than on an individual capture buffer. Available in the OmniPeek console. See Monitoring network statistics on page 276. The dialog used to configure settings for individual capture windows. See Configuring capture options on page 34. The dialog used to configure settings for monitoring the OmniPeek console network as a whole. See Configuring monitor options on page 277.
Capture file OmniEngines window Forensics Capture Monitoring Capture Monitor statistics Capture Options dialog Monitor Options dialog
10 Commonly used terms
CHAPTER 2 Using OmniEngines with OmniPeek

In this chapter:
About OmniEngines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Displaying the OmniEngines window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Connecting to an OmniEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Organizing OmniEngines by groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Discovering OmniEngines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 The OmniEngines window tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Configuring and updating OmniEngine settings . . . . . . . . . . . . . . . . . . . . . . . . . 24
11
Chapter 2: Using OmniEngines with OmniPeek
About OmniEngines
If you are using OmniPeek as a console for distributed OmniEngines, you will need to connect to the OmniEngines from the OmniEngines window in OmniPeek. (If you are using OmniPeek as a portable network analyzer only, and not as a console for distributed OmniEngines, you do not need to review this chapter.) OmniEngines let you capture and analyze data at any location across the network and perform real-time network analysis from the OmniPeek console. OmniEngines can capture traffic from one or more network interfaces, including Ethernet, full-duplex Gigabit, full-duplex 10 Gigabit, and 802.11 wireless networks. OmniEngine features include:
Statistical and packet analysis, including packet flows and details about nodes, protocols, and sub-protocols. See Chapter 8, Expert Analysis and Chapter 12, Displaying and Reporting Statistics. Application layer expert diagnoses, Apdex user satisfaction scores, and application response time analysis. See Expert Application view on page 181. Expert systems diagnoses, including streams-based packet analysis and correlations between events and conversations. Chapter 8, Expert Analysis. VoIP signaling and media analysis. See Chapter 11, Voice & Video Analysis.
The OmniEngines window in OmniPeek lets you view and interact with OmniEngines, which do not have a user interface of their own. OmniEngines are configured with the OmniEngine Configuration Wizard, either from the computer on which they are installed or from the OmniPeek computer using the OmniEngine Manager application. Please see Configuring an OmniEngine on page 24. Note To configure OmniEngine Linux, you must configure it from the OmniPeek computer using the OmniEngine Manager application. The OmniEngines window in OmniPeek lets you:
Connect, disconnect, or reconnect to one or more OmniEngines View summaries of all captures on each connected OmniEngine Create and manage captures on any connected OmniEngine Manage filters, alarms, and notifications on any connected OmniEngine
Note For information on how to install, configure, and update settings and software on one or more OmniEngines, see Configuring and updating OmniEngine settings on page 24. For detailed
12 About OmniEngines
OmniPeek User Guide
instructions, refer to the OmniEngine Getting Started Guide that ships with the OmniEngine or the online help in the OmniEngine Manager application.
Displaying the OmniEngines window

Do one of the following to display the OmniEngines window:
Click View OmniEngines on the Start Page. Choose View > OmniEngines.
The OmniEngines window appears.

Insert Engine Discover Engine Insert Group Delete Connect Disconnect
The clickable buttons in the OmniEngines window are described here:
Insert Group: Click to create a group folder that allows you to more easily organize
OmniEngines.
Insert Engine: Click to insert and connect to a new OmniEngine. Discover Engines: Click to search for all engines installed on the local segment of your
network. See Discovering OmniEngines on page 18.

Delete: Click to remove the selected OmniEngine from the list of OmniEngines. Connect: Click to connect to the selected OmniEngine.
Displaying the OmniEngines window
13
Disconnect: Click to disconnect from the selected OmniEngine.
Note Right-click inside the list of OmniEngines to display a context-menu with additional options for displaying the list of OmniEngines; inserting and discovering OmniEngines; editing, deleting, or renaming OmniEngines; connecting and disconnecting OmniEngines; forgetting all passwords; and importing and exporting OmniEngines.
Connecting to an OmniEngine
In order to view packets and data from an OmniEngine, you must first connect to it from OmniPeek. To connect to an OmniEngine: 1. From the OmniEngines window, click the Insert Engine button. The Insert Engine dialog appears.
2. Complete the dialog:
Host: Enter the IP address or DNS name of the engine that you want to connect to. Port: Enter the TCP/IP Port used for communications. The default port for the WildPackets DNX protocol is 6367. Authentication: Select the method used to authenticate the user. For OmniEngine Windows, select Default. Select Third Party if you are connecting using TACACS, RADIUS, or connecting to a Linux-based Omnipliance. Domain: Type the Domain for login to the engine. If the OmniEngine is not a
member of any Domain, leave this field blank.
14 Connecting to an OmniEngine
OmniPeek User Guide
Username: Type the Username for login to the OmniEngine. Password: Type the Password for login to the OmniEngine.
3. Click Connect. When the connection is established, the OmniEngine appears in the list of engines. Note The Insert Engine dialog will attempt to resolve DNS names, using the DNS server(s) specified in the network settings of the computer from which you are trying to connect.
Note If your OmniEngine is installed on a computer that has a configured Intelligent Platform Management Interface (IPMI) port used for remotely accessing and troubleshooting the computer, the OmniEngine Home tab displays an IPMI Address entry that lists the IP address of the IPMI port on the OmniEngine. Clicking the IP address opens your browser and navigates to the IPMI login page. For more information about using IPMI, refer to the IPMI guide available at ftp://ftp.wildpackets.com/pub/outgoing/IPMI_Guide.pdf.
Connecting to an OmniEngine
15
Organizing OmniEngines by groups

You can add multiple engines to the OmniEngines window. To make it easier to manage multiple engines, you can organize them into groups. To organize OmniEngines by groups: 1. Click the Insert Group button. A New Group appears in the list of engines. 2. Rename the New Group.
Insert Group
3. With the New Group selected, click the Insert Engine button to add an OmniEngine to the group.
16 Organizing OmniEngines by groups
OmniPeek User Guide
Note Selecting a folder in the list of engines displays a summary of each engine listed in the folder. For OmniEngines that are currently connected, a summary similar to the Home tab summary is displayed. For OmniEngines that are disconnected, a summary that lists the name, address, and last login date and time is displayed. If you had selected the Save my password option when you had originally connected to the OmniEngine, you can connect to the OmniEngine by clicking Connect from within the summary. The Save my password option must have been selected; otherwise, the connection fails. You can also disconnect from an OmniEngine by clicking Disconnect from within the summary.
Organizing OmniEngines by groups
17
Discovering OmniEngines
Clicking the Discover Engine button lets you search for all engines installed on the local segment of your network. You can then insert one or more of the engines that are found into the OmniEngines window, and then connect to those engines. To insert and connect to OmniEngines using Discover: 1. From the OmniEngines window, click the Discover Engines button. The Discover Engines dialog appears.
2. Click the Discover button on the dialog. All OmniEngines found on the local segment of your network are displayed in the Engines list. Adjusting the Listen for time lets you specify how much time is spent listening for responses to the discovery request. You can enter a minimum of 2 and a maximum of 60 seconds. 3. Clear the check boxes of the OmniEngines that you do not want to add to the Engines list and click OK (by default, the check boxes are selected for all OmniEngines that are discovered). The selected OmniEngines are added to the OmniEngines window. Tip Right-click in the Engines pane of the Discover Engines dialog and select Uncheck all to clear the check boxes of all OmniEngines. 4. From the OmniEngines window, select the engine that you want to connect to. The Home tab appears and displays the Connect to OmniEngine screen.
18 Discovering OmniEngines
OmniPeek User Guide
5. Complete the login information on the screen:
Authentication: Select the method used to authenticate the user. For OmniEngine Windows, select Default if you dont use another third-party authentication server. For OmniEngine Linux, select Third Party. Domain: Type the Domain for login to the engine. If the OmniEngine is not a
member of any Domain, leave this field blank.

Username: Type the Username for login to the OmniEngine. Password: Type the Password for login to the OmniEngine.
6. Click Connect. When the connection is established, the engine appears in the OmniEngines window along with all of the tabs appropriate for that OmniEngine.
Discovering OmniEngines
19
The OmniEngines window tabs

Once you are connected to one or more OmniEngines, the OmniEngines window displays each OmniEngine currently defined (by name, IP address, and port) and the tabs that allow you to configure properties for the currently selected OmniEngine. Note If you have a WildPackets TimeLine network recorder, the Files tab is not available. See the TimeLine Network Recorder example below.
Important! Opening or closing the OmniEngines window does not change the connection state for any engines displayed.
OmniEngine Tabs
OmniEngine
20 The OmniEngines window tabs
OmniPeek User Guide OmniEngine Tabs
OmniEngine (TimeLine Network Recorder)
OmniEngine tabs
The following tabs allow you to configure properties for a connected OmniEngine:
Home: This tab displays a summary of OmniEngine properties and network settings.
Graphical links allow you to quickly access other available tabs for the OmniEngine. Note The Capture Storage summary displayed in the Home tab of a TimeLine network recorder displays the amount of space available for storing capture data. See Configuring general options on page 35 to allocate the amount of disk space for a capture.
Captures: This tab lists all defined captures, along with summary information about each capture. See OmniEngines Captures tab on page 97.
OmniEngine tabs
21
Forensics: This tab displays the capture sessions available from the storage space on the OmniEngine. You can select one of the capture sessions, display its data in the Timeline graph, and then perform a forensic search on specific parts of the data. See Forensics capture on an OmniEngine on page 55 and Forensic search from the Forensics tab on page 158. Files (not available from a WildPackets TimeLine network recorder): This tab displays all
capture files saved to the OmniEngine. The data folder for saving these files is defined in the General view of the OmniEngine Wizard. See Configuring and updating OmniEngine settings on page 24. You can select one or more of the capture files and then perform a forensic search on the files. See Forensics capture on an OmniEngine on page 55 and Forensic search from the Files tab on page 153.
Forensic Searches: This tab displays all currently active forensic searches occurring on the OmniEngine. Forensic searches are displayed in the Forensic Searches tab until you close a forensic search window and delete the search when prompted, or you delete the search from the list of forensic searches (right-click the search and choose Delete).
When a forensic search is complete, a notification is sent using the source Forensic Search. If you have set up a notification using that source, you are notified with whatever action type you set up (email, SNMP, trap, etc.) when the search is complete.
Log: This tab provides a central location in which to collect messages from program
processes and events, including program start and stop, notifications, etc. See OmniEngine global log on page 377.
Adapters: This tab displays all available recognized adapters for this OmniEngine.
Multiple captures can use the same adapter, or each a different adapter, as long as each capture has one valid adapter selected.
22 The OmniEngines window tabs
OmniPeek User Guide
To select an adapter for an individual capture, see Configuring adapter options on page 40.
Settings: This tab displays the following sub-tabs:
Graphs: This tab allows you to create and manage graph templates, which can be
used by any OmniEngine capture window on that engine. See OmniEngine graph templates on page 333.
Filters: This tab displays a list of all filters present on the OmniEngine and a means of
managing them independent of any particular OmniEngine capture window. See OmniEngine filters tab on page 121.
Alarms: This tab provides a list of all the alarms present on the OmniEngine and a
means of managing them independent of any particular OmniEngine capture window. See OmniEngine alarms tab on page 345.
Notifications: This tab provides a means of defining Actions (responses to a notification) and invoking these Actions when a notification of a specified severity is generated by an event or process running on an OmniEngine. See Chapter 16, Sending Notifications. Analysis Modules: This tab displays summary information about each analysis module installed on the OmniEngine. See OmniEngine analysis modules on page 386.
Trust Table (OmniEngine Windows only): This tab allows you to associate 802.11 WLAN addresses with a trust value: Trusted, Known, or Unknown. These values are used by the WLAN and Summary views of an OmniEngine capture window. See Chapter 17, Using the Name Table. Matrix Switches (OmniEngine Windows only): This tab lets you create a great variety of
interconnections between connected devices on your distributed network, allowing you

OmniEngine tabs
23
to change focus from one network segment to another quickly and easily. See Chapter 27, Using Matrix Switches.
Configuring and updating OmniEngine settings

The OmniEngine Manager, installed by default with OmniPeek, allows you to configure a single OmniEngine, as well as perform simultaneous global updates to a group of OmniEngines.
Configuring an OmniEngine
Run the OmniEngine Wizard of OmniEngine Manager to configure an OmniEngine. Note To configure OmniEngine Linux, you must run OmniEngine Manager from an OmniPeek computer connected to the network. To configure an OmniEngine using the OmniEngine Wizard: 1. Choose Start > All Programs > WildPackets OmniEngine Manager. The OmniEngine Manager appears.
24 Configuring and updating OmniEngine settings
OmniPeek User Guide
2. Connect to an OmniEngine in the Workspace area and click the Configuration button in the toolbar. The OmniEngine Configuration Wizard appears.
3. Configure the OmniEngine settings:
General: These settings set the name, IP address and port of an OmniEngine, capture restart, and location of the Data folder. All user-created files, such as Packet Files saved during capture, are stored in the Data folder. Security: These settings set encryption, third-party authentication, and data compression for the data stream between OmniPeek and an OmniEngine. You can also enable auditing, creating a log of OmniEngine access events. Access Control: These settings lets you control access to an OmniEngine and its features by associating users (username and password pairs defined in the operating system security settings) with classes of tasks on the OmniEngine called Policies. Policies include such tasks as starting or modifying a capture created by another user, viewing results, and so forth.
For detailed instructions on how to configure OmniEngine settings, see the OmniEngine Getting Started Guide or the online help in the OmniEngine Manager application.
Updating software and settings

The OmniEngine Manager allows you to perform simultaneous global updates to a group of OmniEngines by:
Scheduling and running remote software updates for multiple OmniEngines of the same class.
25
Distributing settings for filters, alarms, and graph templates across multiple OmniEngines. Distributing Access Control Lists (ACLs) to multiple OmniEngines in a single Domain.
To open the OmniEngine Manager: 1. Choose Start > All Programs > WildPackets OmniEngine Manager. The OmniEngine Manager appears.
2. Click the Update Software button to update the OmniEngine software for one or more OmniEngines using the Engine Update service. Note Updating OmniEngine software is not supported in OmniEngine Linux. 3. Click the Update Settings button to update the settings for filters, alarms, or remote graph templates for one or more OmniEngines. 4. Click the Update ACL button to distribute a single Access Control List (ACL) to multiple OmniEngines running on machines belonging to the same Domain.
OmniPeek User Guide
For detailed instructions on how to update the software or settings for a group of OmniEngines, see the OmniEngine Getting Started Guide or the online help in the OmniEngine Manager application.
27
CHAPTER 3 The Capture Window

In this chapter:
About capture windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Creating an OmniPeek capture window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Creating an OmniEngine capture window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Configuring capture options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Navigating a capture window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Capture window views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Opening saved capture files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Splitting saved capture files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Using capture templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Forensics capture on an OmniEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Monitoring capture on an OmniEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
29
Chapter 3: The Capture Window
About capture windows

Capture windows are the main interface for presenting traffic analysis information about your network. With OmniPeek and OmniEngine, you can have multiple configurable capture windows, each with its own selected adapter, its own dedicated capture buffer, and its own settings for filters, triggers, and statistics output. The number of capture windows you can have open at one time is limited only by the amount of available system resources.
Creating an OmniPeek capture window

To create an OmniPeek capture window: 1. To start a new capture, do one of the following:
Click New Capture on the Start Page Choose File > New Capture
The General options of the OmniPeek Capture Options dialog appears. 2. Configure the General options. Click the Help button on the dialog or see Configuring general options on page 35 for more information. 3. Choose an adapter in the Adapter Options. Click the Help button on the dialog or see Configuring adapter options on page 40 for more information. Note For a description of other configuration options, see Configuring capture options on page 34. 4. Click OK. A new OmniPeek capture window appears.
30 About capture windows
OmniPeek User Guide
See Capture window views on page 47 to learn more about the different views available from the navigation pane of every capture window.
Creating an OmniEngine capture window

To create an OmniEngine capture window: 1. Do one of the following to open the OmniEngines window:
Click View OmniEngines on the Start Page Choose View > OmniEngines
The OmniEngines window appears. 2. Connect to an OmniEngine. (To connect to an OmniEngine, see Connecting to an OmniEngine on page 14.) The Home tab for the OmniEngine appears.
31
3. From the Home tab, click New Capture (under the Captures icon) and select the type of capture window that you would like to create:
New Capture: This option lets you create a new capture window based on the capture settings that you define. See Configuring capture options on page 34. New Forensics Capture: This option lets you create a new capture window based on
pre-configured capture settings optimized for post-capture forensic analysis. See Forensics capture on an OmniEngine on page 55.
New Monitoring Capture: This option lets you create a new capture window based
on pre-configured capture settings optimized to produce higher level expert and statistical data in a continuous real-time capture. See Monitoring capture on an OmniEngine on page 56.
Edit Capture Templates: This option opens the Capture Templates dialog and allows you to create new or edit existing capture templates. See OmniEngine capture templates on page 53.
The General options of the OmniEngine Capture Options dialog appears.
32 Creating an OmniEngine capture window
OmniPeek User Guide
Note You can also select the above options from the Insert button drop-down list available from the Captures tab, and from the New Capture options available from the Adapters tab. 4. Configure the General options. Click the Help button on the dialog or see Configuring general options on page 35. 5. Choose a capture adapter in Adapter options. See Configuring adapter options on page 40. Note For a description of the other views available from the Capture Options dialog, see Configuring capture options on page 34. 6. Click OK. A new OmniEngine capture window appears.
See Capture window views on page 47 to learn more about the different views available from the navigation pane of every capture window.
33
Configuring capture options

You can have multiple capture windows open simultaneously, capturing and displaying data in real time. The various capture options in the OmniPeek and OmniEngine Capture Options dialog let you configure each of these windows to have their own capture settings.
OmniPeek capture options
OmniEngine capture options
The Capture Options dialog has the following options for configuring capture settings: Note If you have a WildPackets TimeLine network recorder, some of the OmniEngine capture options may not be available (and are greyed-out) depending on the capture options that are configured.
34 Configuring capture options
OmniPeek User Guide
General: General options let you set the capture buffer size and other packet capture
parameters. Each capture has its own capture buffer. See Configuring general options on page 35.
Adapter: Adapter options let you select and configure the adapter used for captures. All
available recognized adapters are displayed in this view. Multiple capture windows can use the same adapter, or each a different adapter, as long as each capture window has one valid adapter selected. See Configuring adapter options on page 40.
802.11 (OmniPeek only): 802.11 options let you control channel selection and security for
the selected adapter. See Configuring wireless channels and encryption on page 414.
Hardware Profiles (OmniPeek only): Hardware profile options let you configure hardware filters and packet slicing directly on Gigabit analyzer cards. See Configuring hardware profiles for OmniAdapters on page 426. Triggers: Trigger options let you set triggers to start and stop a capture based on a time event or a filter match. See Setting triggers on page 350. Filters: Filter options let you enable or disable filters used for capturing packets. See
Enabling filters from the Capture Options dialog on page 124.

Alarms (OmniEngine only): Alarm options let you enable or disable individual alarms for a
particular OmniEngine capture window. See OmniEngine capture window alarms on page 346.
Graphs (OmniEngine only): Graph options let you manage all aspects of remote statistics graphing capabilities. See OmniEngine graphs capture options on page 329. Statistics Output: Statistic output options let you control the periodic output of statistics while the capture window is open and capturing. Choose from several groups of statistics in a variety of report and file output formats. See Generating statistics output reports on page 302. Analysis Options: Analysis options let you optimize capture performance by selectively disabling certain functions and freeing up system resources. See Optimizing capture performance on page 411.
Configuring general options

The General options of the Capture Options dialog lets you specify settings for continuous captures, saving captures to disk, and packet slicing for each capture window that you create. Note If you are creating a New Forensics Capture for an OmniEngine available from a WildPackets TimeLine network recorder, the Capture Options dialog is a different dialog from a standard
35
OmniEngine Capture Options dialog. See the OmniEngine and TimeLine network recorder examples below.
OmniPeek General Options
OmniEngine General Options
OmniPeek User Guide OmniEngine General Options (for TimeLine network recorder only)
Here are descriptions of each of the General capture options:
Capture title: Type a name for the capture window, or accept the default. Use unique names to help identify specific capture windows. Continuous capture: Select this option to enable the continuous capture of packets into the capture buffer. Capture does not stop until stopped by the user or by a stop trigger.
Important! When you select Continuous Capture, statistics for the capture window will reflect all of the packets seen since it last began capturing. If you did not also choose Save to disk, only the packets currently in the buffer are available for analysis.
Capture to disk (OmniPeek and OmniEngine only): Select this option to save packets to a capture file on your disk. In an OmniEngine, the packets are saved to the data folder configured when you set up the OmniEngine. See the OmniEngine Getting Started Guide that ships with your OmniEngine, or the online help in the OmniEngine Manager application.
File path (OmniPeek only): Type or browse to the location for saving capture
files.
File name (OmniEngine only): Type the base file name when saving continuous
capture files to disk. The file name you specify here will be used as a base file name for each capture file that is created using the Capture to disk option. Additionally, each capture file is appended with a timestamp indicating the date
37
and time the file was saved. The format of the timestamp is YYYY-MM-DDHH.MM.SS.mmm. Tip By default, the timestamp reflects local time and is placed immediately after the file name you entered. You can specify an alternate location of the timestamp within the file name by using the # character as a token for the timestamp. To have the timestamp written in Coordinated Universal Time (UTC) instead of local time, place the letter z immediately after the hash symbol. When UTC is in use, the letter z will appear at the end of the timestamp.
File size: Enter or select the maximum file size before a new file is created. Stop saving after: Select this option and specify a size limit, in megabytes, for the
amount of disk space reserved for all capture files that are created using the
Capture to disk option. Once the size limit has been reached, no more capture
files will be saved to disk.
Keep most recent: Select this option and specify a limit for the number of capture files that are created using the Capture to disk option. Once the file limit has been reached, the oldest capture file is replaced with a newer capture file. New file every: Select this option and specify the number and period (Minutes, Hours, Days) to create a new file. Timeline Stats (OmniEngine only): Select this option to turn on the Call Quality
view type for this capture. See Forensic search from the Forensics tab on page 158 or Forensic search from the Forensics Capture window on page 168 for information on view types.
Timeline Top Stats (OmniEngine only): Select this option to turn on the Top Statistics calculation during the capture.
Note Selecting the Timeline VoIP Stats option may affect capture performance, especially when there are more than 3000 simultaneous calls on the network. Selecting the Timeline Top Stats option may affect capture performance, especially when there are more than 10,000 active nodes captured on the network.
Capture to disk (TimeLine network recorder only): Select this option to store capture data to the storage devices in the recorder. Unlike a standard OmniEngine, you cannot specify a specific location for the data.
Disk space for this capture: Move the slider (or enter a value in the text box) to
set the amount of hard disk space allocated for this capture. This value is dependent on the amount of total disk. For example, if you a have two raid
OmniPeek User Guide
controllers, the value must be a multiple of 8. The minimum value for a noncontinuous capture is 8 GB. The minimum value for a continuous capture is 16 GB. If you have one raid controller, the value must be a multiple of 4. The minimum value for a non-continuous capture is 4 GB. The minimum value for a continuous capture is 8 GB. The approximate durations (in hh:mm:ss) of captured data for data rates of 10GBits/s, 1 GBits/s, and 100 MBits/s are displayed below the slider.
Timeline VoIP Stats: Select this option to turn on the Call Quality view type for
this capture. See Forensic search from the Forensics tab on page 158 or Forensic search from the Forensics Capture window on page 168 for information on view types.
Timeline Top Stats: Select this option to turn on the Top Statistics calculation
during the capture. Note Selecting the Timeline VoIP Stats option may affect capture performance, especially when there are more than 3000 simultaneous calls on the network. Selecting the Timeline Top Stats option may affect capture performance, especially when there are more than 10,000 active nodes captured on the network.
Limit each packet to: Select this option and specify a size limit, in bytes, for capturing only
a portion of each packet instead of the whole packet. This is called Packet Slicing and allows you to save space in the capture buffer for capturing more packets. For example, entering a value of 132 will capture only the first 132 bytes of each packet. We recommend entering a value of 128 bytes or greater to ensure that, at a minimum, all of the bytes of the packet headers are captured.
Discard duplicate packets (OmniPeek and OmniEngine only): Select this option to discard
duplicate packets from the capture buffer. Note Discard duplicate packets is not supported for sliced packets.
Buffer size: Enter a buffer size, in megabytes, for the amount of memory dedicated for the capture buffer. The default is 100 megabytes. Show this dialog when creating a new capture window (OmniPeek only): Select this option to display the General options of the Capture Options dialog whenever a new capture window is created.
39
Tip Clear the Show this dialog when creating a new capture window check box to have subsequent capture windows created using the same settings you have just set in the Capture Options dialog. Each time you create a new capture window, it opens immediately using these settings.
Start capture immediately (OmniEngine and TimeLine network recorder only): Select this option to immediately begin capturing packets once the OK button has been clicked. Open capture window (OmniEngine and TimeLine network recorder only): Select this option to display a new capture window once the OK button has been clicked. Save as template (OmniEngine and TimeLine network recorder only): Select this option to
create a new OmniEngine capture template based on the current settings.
Configuring adapter options

The Adapter options of the Capture Options dialog lets you choose an adapter for this capture. To select an adapter for an OmniPeek capture: 1. Click the Adapter options of the OmniPeek Capture Options dialog.
2. Select the capture adapter:
File: Select a file or choose New File Adapter to simulate network conditions without
having to be connected to a network, or without having a supported adapter installed on your computer. This option replays an existing trace file.
OmniPeek User Guide
Module: Aggregator: Choose New Adapter to select the adapters used to aggregate
data. The Aggregator lets you capture traffic from multiple sources. For wired traffic, it aggregates packets from multiple wired adapters. For wireless traffic, it captures wireless packets from multiple channels simultaneously (without scanning), measures vital statistics on each channel separately, and calculates the latency of devices roaming between access points. See Capturing Packets from an Aggregator Adapter on page 42.
Module: Aruba Remote Adapter: Choose New Adapter to select an Aruba Remote
Adapter. The Aruba Remote Adapter lets you stream packets from one or more Aruba access points into a running wireless capture window in OmniPeek. To begin streaming packets, you will need to first create a new Aruba Remote Adapter entry, and then select the new adapter as the adapter for a capture window. See Capturing Packets from an Aruba Remote Adapter on page 43.
Module: Cisco Remote Adapter: Choose New Adapter to select a Cisco Remote
Adapter. The Cisco Remote Adapter lets you stream packets from one or more Cisco access points into a running wireless capture window in OmniPeek. To begin streaming packets, you will need to first create a new Cisco Remote Adapter entry, and then select the new adapter as the adapter for a capture window. See Capturing Packets from a Cisco Remote Adapter on page 44.
Module: Compass Adapter: Choose New Adapter to select a Compass remote adapter. The Compass remote adapter lets you aggregate statistics from any number of capture files (in the *.pkt format only) over a reasonable period of time, and then display those statistics in the Compass dashboard. To view a multiple file Compass dashboard, you will need to first create a new Compass adapter entry, and then select the new adapter as the adapter for a capture window. See Compass dashboard on page 70. Local machine: Select a network adapter installed on the OmniPeek computer. All locally installed network adapters are listed; however, only a supported network adapter can be selected as the capture adapter.
Information about the selected OmniPeek adapter is displayed below the list of adapters. For example, if you are capturing packets on a WLAN, only 802.11 wireless adapters that support the WildPackets API can be used to capture packets. If the description for WildPackets API is Yes, the adapter can be used; if it is No, the adapter may not be a supported 802.11 wireless adapter, or it may not have the WildPackets driver installed yet. See Supported adapters on page 5. Tip You can right-click an adapter to configure certain settings such as network speed options (the available options are dependent on the type of adapter). In certain cases you may want to
41
override the network speed default setting (Auto sense). For example, you may wish to set a nominal network speed for a particular adapter to ensure consistent statistics reporting. To select an adapter for an OmniEngine capture: 1. Click the Adapter options of the OmniEngine Capture Options dialog.
2. Select the capture adapter. 3. Click Options to open the Adapter Options dialog, where you can configure 802.11, gigabit, network speed, and buffer options (the available options are dependent on the type of adapter selected). For more information:
See Configuring wireless channels and encryption on page 414 See Configuring hardware profiles for OmniAdapters on page 426
Note Click the Help button on the Adapter Options dialog to learn more about the available settings.
Capturing Packets from an Aggregator Adapter

The Aggregator Adapter lets you lets you capture traffic from multiple wired or wireless sources. You can enable or disable the Aggregator Adapter functionality in OmniPeek from the Analysis Modules view of the Options dialog. See Aggregator Adapter on page 501.
OmniPeek User Guide
Note Capturing packets from an Aggregator Adapter is not supported from an OmniEngine. To capture packets from an Aggregator Adapter: 1. Create a new capture window in OmniPeek. The Capture Options dialog appears. 2. Select the Adapter options. 3. Click New Adapter below the Module: Aggregator entry. The Aggregator Settings dialog appears. 4. Enter a name for the Aggregator adapter. 5. Select either the Wired Connections or Wireless Connections check box. A list of wired or wireless adapters is displayed in the window. Any wireless adapter that is not using the WildPackets API will also show up under wired connections. 6. Select the check box of one or more adapters that you want to use to capture and analyze traffic. 7. Click OK to close the Aggregator Settings dialog. 8. Click OK to close the Capture Options dialog. A new capture window appears that has a Start / Stop Aggregator button in the upper right corner. 9. Click the Start Aggregator button. 10. Click the Stop Aggregator button to stop capturing packets. No additional packets are allowed into the capture buffer. Note An aggregator capture window using wireless adapters, displays roaming latency data in the three Roaming views. See Roaming latency analysis on page 422.
Capturing Packets from an Aruba Remote Adapter

The Aruba Remote Adapter lets you stream packets from one or more Aruba access points into a running wireless capture window in OmniPeek. To begin streaming packets, you will need to create a new Aruba Remote Adapter entry, and then select the new adapter as the adapter for a capture window. You can enable or disable the Aruba Remote Adapter functionality in OmniPeek from the Analysis Modules view of the Options dialog. See Aruba Remote Adapter on page 502. Note Capturing packets from an Aruba Remote Adapter is not supported from an OmniEngine.
43
To capture packets from an Aruba Remote Adapter: 1. Create a new capture window in OmniPeek. The Capture Options dialog appears. 2. Select the Adapter options. 3. Click New Remote Adapter below the Module: Aruba Remote Adapter entry. The Aruba Remote Adapter Properties dialog appears. 4. Enter a Name and Port for the Aruba adapter. The name can be anything and the port number defaults to 5000 (the default port number used by Aruba access points). 5. Click OK to close the Aruba Remote Adapter Properties dialog. 6. Select the new adapter and click OK to close the Capture Options dialog. A new capture window appears that has a Start / Stop Aruba Capture button in the upper right corner. 7. Click the Start Aruba Capture button. Packets will not populate the capture window until the Aruba controller begins sending packets to the OmniPeek computer as noted below. Important! To send packets from an Aruba access point to the IP address and port of the OmniPeek computer, you must configure the access point through the web based user interface of the Aruba controller. While the access point is sending packets, it is not operating as an access point. When you want to stop sending packets, you must configure the Aruba access point (via the Aruba controller) to stop sending packets; otherwise, the OmniPeek computer will send an ICMP Destination Port Unreachable for every incoming packet received. This will impact the performance of the OmniPeek computer and possibly your network. Refer to your Aruba documentation for instructions. See also our website at http://www.wildpackets.com/support/ additional_resources/plugin_tips for additional information on configuring the Aruba Remote Adapter. 8. Click the Stop Aruba Capture button to stop capturing packets. No additional packets are allowed into the capture buffer. Note The Aruba access point will continue sending packets to the OmniPeek computer until it is configured to stop sending packets. Packets not accepted into the capture window buffer are returned as ICMP packets.
Capturing Packets from a Cisco Remote Adapter

The Cisco Remote Adapter lets you stream packets from one or more Cisco access points into a running wireless capture window in OmniPeek. To begin streaming packets, you will need to first create a new Cisco Remote Adapter entry, and then select the new adapter as the adapter 44 Configuring capture options
OmniPeek User Guide
for a capture window. You can enable or disable the Cisco Remote Adapter functionality in OmniPeek from the Analysis Modules view of the Options dialog. See Cisco Remote Adapter on page 503. Note Capturing packets from an Cisco Remote Adapter is not supported from an OmniEngine. To capture packets from a Cisco Remote Adapter: 1. Create a new capture window in OmniPeek. The Capture Options dialog appears. 2. Select the Adapter options. 3. Click New Remote Adapter below the Module: Cisco Remote Adapter entry. The Cisco Capture Adapter Properties dialog appears. 4. Enter a Name and IP address (or leave IP address blank for any AP). 5. Click OK to close the Cisco Capture Adapter Properties dialog. 6. Select the new adapter and click OK to close the Capture Options dialog. A new capture window appears that has a Start / Stop Cisco Capture button in the upper right corner. 7. Click the Start Cisco Capture button. Packets will not populate the capture window until the Cisco controller begins sending packets to the OmniPeek computer as noted below. Important! To send packets from a Cisco access point to the IP address of the OmniPeek computer, you must configure the access point through the web based user interface of the Cisco controller. While the access point is sending packets, it is not operating as an access point. When you want to stop sending packets, you must configure the Cisco access point (via the Cisco controller) to stop sending packets; otherwise, the OmniPeek computer will send an ICMP Destination Port Unreachable for every incoming packet received. This will impact the performance of the OmniPeek computer and possibly your network. Refer to your Cisco documentation for instructions. See also our website at http://www.wildpackets.com/support/ additional_resources/plugin_tips for additional information on configuring the Cisco Remote Adapter. 8. Click the Stop Cisco Capture button to stop capturing packets. No additional packets are allowed into the capture buffer. Note The Cisco controller will continue sending packets to the OmniPeek computer until it is configured to stop sending packets. Packets not accepted into the capture window buffer are returned as ICMP packets.
45
Navigating a capture window

The parts of the capture window are identified below.
Capture Window Title Start/Stop Capture
Progress Section Filter Bar
Navigation Pane
Status Bar View Section
Capture Window Title: Displays the user-defined (or default) title of the capture window. Progress Section: Displays packet, memory, and filter information:
Packets received: Displays the total number of packets received since the capture was
initiated.
Packets filtered: Displays the total number of packets received for this capture window that have passed any enabled filters. Buffer usage: Displays the percentage of capture buffer memory used for this capture
window.
46 Navigating a capture window
OmniPeek User Guide
Filter state: Summarizes any enabled filter conditions.
Start/Stop Capture: Starts or stops a capture. When a trigger is set for the capture window,
this button is labeled Start/Stop Trigger. See Setting triggers on page 350.
Filter bar: This area lets you quickly create advanced filters directly in a capture window.
See Creating filters with the filter bar on page 135.

Navigation Pane: Displays available views for the capture window. The views that are available in an OmniEngine capture window depend on the type of OmniEngine that is connected, and the Graphs and Analysis Options capture settings configured for that capture window. For descriptions of available capture window views, see Capture window views on page 47.
Navigation pane right-click options:
Undock: Undock the selected view from the capture window, making it easier to display and organize views. To dock the view back to the capture window, close the undocked view. Default View: Sets the selected view as the default view for subsequent capture
windows.
Status Bar: Displays status information:
Capture status: Displays state of the capture process. Current adapter: Displays adapter currently selected as the capture adapter. Packets: Displays the number of packets in the capture buffer. Duration: Displays the difference between the earliest and the most recent packet in
the capture buffer.

View Section: Displays the contents of the selected view.
Capture window views

The navigation pane of every capture window presents the views that display information about the capture data. A capture window can have the following views:
Dashboards: These dashboards display graphical data about your network summarized into several easy-to-read displays.
TimeLine: This dashboard provides an overview of the top talkers, top protocols, and network utilization for the OmniEngine. See Timeline dashboard on page 60. Network: This dashboard provides an overview of network statistics for the capture. See Network dashboard on page 63.
47
Voice & Video: This dashboard provides a visual display of several VoIP-related statistics for the capture window. See Voice & Video dashboard on page 64. Apdex: This dashboard lets you visualize the data in the Expert Application view. See
Apdex dashboard on page 66.

Compass: This dashboard lets you view network utilization, top nodes, and top protocols statistics from a real-time capture occurring on an OmniPeek network analyzer, from a single supported capture file, or from multiple OmniPeek capture files (*.pkt). See Compass dashboard on page 70.
Capture: These views display information about packets captured into the capture buffer.
Packets: This view lists all of the packets placed in the buffer of a capture window (or
capture file). The Decode and Hex panes show the contents of the selected packet decoded or in hexadecimal and ASCII. See Viewing captured packets on page 98.
Log: This view collects messages generated by events relating to the particular capture
window. These events include the results of notifications generated by the triggers or analysis modules selected for the capture window. See Chapter 18, Viewing Logs.
Filters: This view lets you enable or disable filters used for capturing packets into the
capture window buffer. See Chapter 6, Creating and Using Filters.

Alarms (OmniEngine only): This view lets you query a specified monitor statistics
function once per second, testing for user-specified problem and resolution conditions. On matching any of these tests, the alarm function sends a notification of user-specified severity. See Chapter 15, Setting Alarms and Triggers.
Expert: These views provide expert analysis of delay, throughput, and a wide variety of network events in a conversation-centered view of traffic in a capture window. See Chapter 8, Expert Analysis.
Clients/Servers: This view makes it easy to track events and to see them in the context of peer-to-peer or client-server traffic patterns. See Expert Clients/Servers view on page 178. Flows: This view displays each flow independently in a flat view. This simplified view
allows you to compare flows to one another, regardless of the node pair to which they belong. See Expert Flows view on page 180.
Application: This view allows you to link end-user satisfaction with the performance of a network application through Apdex, an open standard that defines methods for reporting application performance. See Expert Application view on page 181.
Web (OmniPeek only): These views let you display web page requests and responses,
allowing you to track client/server activity within a capture. The same web data is presented in four formats. 48 Capture window views
OmniPeek User Guide
Servers: This view lets you focus on which servers are being used. See Servers view on page 239. Clients: This view lets you focus on which clients are using which servers. See Clients view on page 240. Pages: This view displays a list of web pages with each individual request nested underneath. See Pages view on page 241. Requests: This view displays a flat list of individual HTTP requests. See Requests view on page 242.
Voice & Video: These views let you display the voice and video data in the following
formats:
Calls: This view displays one row for each call. See Calls view on page 256. Media: This view displays one row for each media flow. See Media view on page 257.
Visuals: These views graphically display network traffic and statistics. Peer Map: This view lets you visualize network traffic by displaying nodes and the traffic between the nodes. The lines indicate traffic between two nodes. The relative thickness of the lines indicate the volume of traffic occurring. See Chapter 13, Using the Peer Map. Graphs: This view displays graphs of individual items from the other statistics views in real time. The data from these graphs can also be saved as tab-delimited or comma-delimited text, or as XML \ HTML. On an OmniEngine, this view must be enabled in the Graphs options of the Capture Options dialog. See OmniPeek capture window graphs on page 326.
Statistics: These views display various statistical data about your network.
Nodes: This view displays real-time data organized by network node. You can choose
to display the nodes in a nested hierarchical view (logical addresses nested beneath their physical address), or in a variety of flat tabular views. Right-click the column header to add or remove various columns. See Node statistics on page 281.
Protocols: This view displays network traffic volume as a percentage of total bytes, broken down by protocol and subprotocol. You can choose to display the protocols in either a nested Clients/Servers view or a Flows view. See Protocol statistics on page 284. Summary: This views lets you monitor key network statistics in real time and save those statistics for later comparison. Summary statistics are also extremely valuable in comparing the performance of two different networks or network segments. See Summary statistics on page 291.
49
Wireless: These views display information about your wireless network.
WLAN: This view displays an SSID (Service Set Identifier) tree view of wireless nodes.
See WLAN statistics on page 297.

Channels: This view displays a variety of statistics and counts for each wireless
channel. See Channel statistics on page 295.

Signal: This view displays continuously updated graphs of signal strength (or related measures) for traffic in the capture window. See Signal statistics on page 300.
Roaming: These views display roaming latencythe amount of time it takes for a wireless device to move from one access point to another. This is also known as reassociation.
Log: This view displays a log entry each time a wireless roaming device is detected.
See Log on page 422.

by Node: This view displays an entry for each wireless roaming device, and calculates
an average latency value for that device. See by Node on page 423
by AP: This view displays an entry for each wireless access point, and calculates an average latency value for that access point. See by AP on page 423.
Important! Your version of the software may not include all of the views listed here. Please visit our web site at www.wildpackets.com for details about how to order the features that precisely fit the needs of your network.
Opening saved capture files

Capture files, or trace files, are capture windows that were saved to a variety of supported capture file formats. You can open capture files to load and process packets back into OmniPeek. See Save file formats on page 105 for a description of the supported capture file formats.
OmniPeek capture files

To open an OmniPeek capture file: 1. Do one of the following:
Click Open Capture File on the Start Page. Choose File > Open.
2. Select the capture file and click Open.
50 Opening saved capture files
OmniPeek User Guide
Tip Click the Analysis Options button to enable/disable specific analysis options for the capture file that you are opening. 3. Click the Packets view in the navigation menu.
Filter bar Display Filter list
Note Triggers and capture filters are not available from a capture file. However, you can use display filters and filters created in the Filter Bar to view subsets of the traffic in the same window or copied to a new window. See Chapter 7, Post-capture Analysis. See also Display filters on page 122 and Creating filters with the filter bar on page 135.
OmniEngine capture files

If you have a standard OmniEngine (Windows or Linux), capture files are saved to the Data folder you specified when configuring the engine. See Configuring and updating OmniEngine settings on page 24. The Files tab in the OmniEngines window displays a listing of all the capture files saved to the OmniEngine computer. From this tab, you can perform network forensic analysis using the
OmniEngine capture files
51
data from one or more selected files. See Forensics capture on an OmniEngine on page 55 and Forensic search from the Files tab on page 153. If you have a WildPackets TimeLine network recorder, capture data is stored in the capture storage space allocated on the recorder. See Forensics capture on an OmniEngine on page 55. The Forensics tab in the OmniEngines window displays the capture sessions available for forensic analysis. See Forensic search from the Forensics tab on page 158.
Splitting saved capture files

If you have a large WildPackets formatted packet file, you can easily split it into smaller manageable packet files. You can specify file sizes by byte size or packet count. To split a large packet file: 1. Choose Tools > Split Packet File. The Split Packet File dialog appears.
2. Select the source file, destination folder, file size, and file size unit (Megabytes, Kilobytes, or Packets) and click Split. The file sizes of the smaller files are approximately equal to the file size you specify, with possibly the exception of the last file created. This is necessary in instances where the original file cannot be divided equally by the file size specified.
Combining files
The PeekCat command line utility (located in the OmniPeek\Bin directory) lets you combine multiple capture files of the same OmniPeek file format. Please see the peekcat.txt file in the \Bin directory for more information.
Using capture templates

Capture templates let you use pre-defined settings for creating a new capture window. You can save any capture window as a capture template. The steps for creating and using capture templates differ in OmniPeek and OmniEngine. 52 Splitting saved capture files
OmniPeek User Guide
OmniPeek capture templates

To create and use a capture template from OmniPeek: 1. Make the capture window the active window. 2. Choose File > Save Capture Template. The Save As dialog appears. 3. Name the template and save it in the Capture Template format (*.ctf ). 4. To use the capture template, choose File > New From Template and select the desired template. Note Capture windows created from templates are created without first opening the Capture Options dialog, regardless of whether the check box labeled Show this dialog when creating a new capture window is checked or unchecked. You can also create capture templates in the following ways:
Capture templates are used when starting OmniPeek from the command line. See Starting OmniPeek from the command line on page 494. The OmniPeek AutoCapture feature allows you to create, import, and export settings from capture templates, and use them to programmatically open capture. See Chapter 20, Using AutoCapture.
OmniEngine capture templates

To create and use a capture template from OmniEngine: 1. For a connected OmniEngine, do one of the following:
On the Home tab, select Edit Capture Templates under New Capture. On the Capture tab, click the arrow to the right of the Insert button and select Edit Capture Templates. On the Adapters tab, select Edit Capture Templates under New Capture.
The Capture Templates dialog appears. The clickable buttons are described below.
OmniPeek capture templates
53
Chapter 3: The Capture Window Delete Duplicate Edit Insert
Insert: Click to open the Capture Options dialog, where you can configure settings for a new template. When you click OK, your new template will be listed in the OmniEngine Capture Templates dialog and will also be available as an option when
creating a new capture window.
Edit: Click to open the selected template. The OmniEngine Capture Options dialog appears, where you can change the capture settings. Duplicate: Click to duplicate the selected template. Delete: Click to delete the selected template.
2. To use the capture template, select the template name from the Home, Capture, and Adapters tabs described in Step 1 above.
Multiple capture windows from a single template

You can also create a single named template that creates multiple capture windows, each with its own individual capture options. Note Creating multiple capture windows from a single template is not supported from an OmniEngine. To create multiple capture windows from a single capture template: 1. Create or open the OmniPeek capture windows you wish to include in the template. Make sure only the capture windows you wish to include are open.
54 Using capture templates
OmniPeek User Guide
2. Hold down the Ctrl key and choose File > Save All as Capture Template. 3. Name the template and save it in the Capture Template format (*.ctf ). The saved template will include all the open capture windows. 4. To use the capture template, choose File > New From Template and select the desired template.
Forensics capture on an OmniEngine

From an OmniEngine, you can create a new capture window based on capture settings optimized for post capture forensic analysis. Data from a forensics capture is stored on the OmniEngine. You can then use these forensics captures to perform a more detailed investigation of the data to identify and troubleshoot items such as network problems, security attacks, HR policy violations, and more. To start a forensics capture: 1. From a connected OmniEngine, do one of the following:
On the Home tab, select New Forensics Capture under New Capture. On the Capture tab, click the arrow to the right of the Insert button and select New Forensics Capture. On the Adapters tab, select New Forensics Capture under New Capture.
The General options of the Capture Options dialog appears. See Configuring general options on page 35. See also Configuring adapter options on page 40 to select a capture adapter. Note Since a forensics capture is optimized for post capture forensics analysis, click the Analysis Options view from the Capture Options dialog and notice that all options are disabled by default. This helps to ensure packets are captured at the fastest rates possible. 2. Click OK from the Capture Options dialog. A new OmniEngine capture window appears with packet capture already under way. 3. Click the Stop Capture button to stop capturing packets. 4. Depending on your OmniEngine, you can perform forensic analysis from the Files or Forensics tab in the OmniEngines window:
Forensics capture on an OmniEngine
55
Note You can also perform forensic analysis directly from a Forensics Capture window. See Forensic search from the Forensics Capture window on page 168.
If you have a standard OmniEngine (Windows or Linux), the Files and Forensics tab are available for forensic analysis. See Forensic search from the Files tab on page 153 below and Forensic search from the Forensics tab on page 158. If you have a WildPackets TimeLine network recorder, the Forensics tab is available for forensic analysis. See Forensic search from the Forensics tab on page 158.
Note A capture session is created each time you start a capture on a WildPackets TimeLine network recorder. A capture session represents a contiguous period of time when packets are captured from a particular interface. A capture can have multiple capture sessions, and each session can be separated by periods of inactivity (from stopping and starting the capture). Forensics analysis can then be performed on each capture session. Capture sessions are displayed in the nested tabs available from the Forensics tab.
Monitoring capture on an OmniEngine

On an OmniEngine, you can create a new monitoring capture window based on capture settings optimized for presenting expert and high-level network statistics data. Note Monitoring capture is not supported from an OmniPeek console. To start a monitoring capture: 1. From a connected OmniEngine, do one of the following:
On the Home tab, select New Monitoring Capture under New Capture. On the Capture tab, click the arrow to the right of the Insert button and select New Monitoring Capture. On the Adapters tab, select New Monitoring Capture under New Capture.
The General options of the Capture Options dialog appears. See Configuring general options on page 35. See also Configuring adapter options on page 40 to select a capture adapter.
56 Monitoring capture on an OmniEngine
OmniPeek User Guide
Note Since a monitoring capture is optimized to view and analyze expert and statistical data, click the Analysis Options view from the Capture Options dialog and notice that all statistics are enabled. This helps to ensure optimum analysis of the data. 2. Click OK from the Capture Options dialog. A new OmniEngine capture window appears 3. From the new monitoring capture window, try the following:
Click the Network dashboard to see network statistics for the capture. See Network dashboard on page 63. Click the statistics views to see various displays of the statistics data for the capture. To analyze the data obtained from a monitoring capture, see Displaying and Reporting Statistics on page 275.
Monitoring capture on an OmniEngine
57
58 Monitoring capture on an OmniEngine
CHAPTER 4 Dashboards
In this chapter:
About dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Timeline dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Network dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Voice & Video dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Apdex dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Compass dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
59
Chapter 4: Dashboards
About dashboards
The OmniPeek dashboards display graphical data about your network summarized into several easy-to-read displays. There are five dashboards available from OmniPeek and OmniEngine capture windows: Timeline (OmniEngine only), Network, Voice & Video, Apdex, and Compass (Omnipeek only).
Timeline dashboard
The Timeline dashboard is available from OmniEngine capture windows that have any of the Timeline Stats options enabled in the Capture Options dialog. The dashboard displays top talkers, top protocols, and network utilization for the OmniEngine.
Timeline Graph Header Information View Type Time Window Forensic Search Download Packets Top Talkers by IP Address Top Protocols Refresh
The parts of the Timeline dashboard are described below.
Header Information: The header information displays statistics for the capture session (data start time, data end time, duration, status, packets, packets dropped, adapter, etc.).
60 About dashboards
OmniPeek User Guide
Top Talkers by IP Address: This display shows a graph of top talkers on the network,
broken out by node. You can right-click inside the display to display top talkers by
Physical Address, IP Address, or IPv6 Address; or to select a Bar or Pie display. Mouse
over a bar (or slice) of the graph to view a tooltip with additional details for the node.
Top Protocols: This display shows a graph of top protocols on the network. You can right-click inside the display to select a Bar or Pie display. Mouse over a bar (or slice) of
the graph to view a tooltip with additional details for the protocol.
Timeline graph: The Timeline graph displays the data of the selected capture session. Only one capture session at a time can be displayed inside the graph. By default, the graph shows network utilization in Mbits/s, but other statistics can be graphed as well by selecting the View type.
Here are descriptions of other parts of the Timeline graph:
Right-click inside the graph to perform a forensic search (see Performing a forensic search on an OmniEngine on page 153), download selected packets to a capture file, refresh the window, or choose a different graph format: Bar, Stacked Bar, Skyline, Area, Stacked Area, Line, Line/Points, Linear, and Logarithmic. Additionally, you can also toggle displaying the minimum and maximum points for each series on the graph. Mouse over a data point in the graph to view a tooltip displaying timestamp and size information (e.g., time and rate, time and packet size, etc.). Any time there is more data than can be displayed on the screen, a scroll bar appears below the graph and allows you to view different points of time in the graph. (If the Time window is set to Automatic, the scroll bar will never appear.) If the Time window is set to anything other than Automatic, a scroll bar appears below the graph and allows you to view different points of time in the graph.
View type: Select the type of statistics to display in the Timeline graph. You can select
from:
Network Utilization (Mbits/s) Network Utilization (Packets/s) Unicast/Multicast/Broadcast Packets sizes VLAN/MPLS Protocols (Mbits/s) Protocols (Packets/s)
Timeline dashboard
61
Call Quality (TimeLine network recorder only) Call vs. Network Utilization (TimeLine network recorder only)
Note To display statistics for a Call Quality view type, the Timeline VoIP Stats option must be selected when you first create the capture and configure the General options of the Capture Options dialog. See Configuring general options on page 35.
Time window : Select the time interval to display in the Timeline graph. By default, Automatic is selected to display the optimum window based on the available data. Intervals from 5 Minutes (1 Sec. Avg.) to 24 Hours (5 Min. Avg.) are also available. Forensic search: Click the button to display the Forensic Search dialog where you
can adjust the forensic search settings. Click the small down arrow next to the button to display custom or pre-configured settings for performing a forensic search. You can change any option prior to clicking the OK button:
Custom: Creates a Forensic Search window based on the customized settings that you configure. Overview: Creates a Forensic Search window based on settings that display an
overview of the selected data in the capture session.

Packets: Creates a Forensic Search window containing a packets-only view. Expert: Creates a Forensic Search window based on settings that are optimized for Expert analysis. Voice & Video: Creates a Forensic Search window based on settings that are optimized for Voice & Video analysis.
Download Packets: Click to download the packets from the selected capture session,
in the selected time range.

Refresh: Click to refresh the screen. For an active capture session, you can also set an
automatic refresh interval by selecting an interval from the drop-down list to the right of the Refresh button.
62 Timeline dashboard
OmniPeek User Guide
Network dashboard
The Network dashboard displays key statistics for the capture window.
The parts of the Network dashboard are described below.
Network Utilization: This display graphs network traffic in Mbits/second. You can rightclick inside the display to drill-down to selected packets, or to select a Bar, Area, Line, or Line/Points display. Wireless Signal: This display graphs wireless signal and/or noise strength (as a percentage) for the wireless channel you are capturing on, or all channels you have configured the capture to scan. This display is available only when a wireless adapter is selected as the capture adapter. You can right-click inside the display to select the parameters to display. Hovering over a channel will display a tooltip with additional channel information. Network dashboard
63
Current Activity: This display shows three analog gauges with corresponding digital displays at their centers to show network utilization (as a percent of capacity), traffic volume (in packets per second), and error rate (total errors per second). You can rightclick inside the display to select a Light, Dark, or Clean background for the display. Log: This display shows the number of notifications generated by level of severity. You can right-click inside the display to select a Light, Dark, or Clean background for the display.
Clicking a severity icon navigates to the Log tab and displays those log events corresponding to the severity clicked.
Top Talkers by IP Address: This display shows a graph of top talkers on the network,
broken out by node. You can right-click inside the display to display top talkers by
Physical Address, IP Address, or IPv6 Address; or to select a Bar or Pie display. Clicking a
bar (or slice) of the graph opens a Detail Statistics window populated with details for the node clicked. Note This feature is automatically enabled for OmniEngine captures based on the Monitoring Capture template. Top talkers are displayed as Not Available for OmniEngine captures using the Forensic Capture template. See Forensics capture on an OmniEngine on page 55 and Monitoring capture on an OmniEngine on page 56.
Top Protocols: This display shows a graph of top protocols on the network. You can right-click inside the display to select a Bar or Pie display. Clicking a bar (or slice) of the
graph opens a Detail Statistics window populated with details for the protocol clicked.
Voice & Video dashboard

The Voice & Video dashboard provides a visual display of voice and video call summary, as well as useful graphs and statistics to troubleshoot and analyze voice and video traffic.
64 Voice & Video dashboard
OmniPeek User Guide
The parts of the Voice & Video dashboard are described below.
Call Summary: This display shows Call Counter information and Closed Call Statistics on voice and video packet loss. In addition, the Call Summary displays the Max Call Time which is the point and time when the maximum call limit was reached. The Max Call Time is displayed in red text and will dynamically appear. Call Quality Distribution: This display shows open and closed calls by quality based on MOS scores. You can right-click inside the display to select a Bar or Pie display.
MOS scores are calculated for each media flow independently, and each calls quality is the lowest MOS score of any of its associated media flows. Voice media is scored with MOSCQ, video media with MOS-V, and audio media with MOS-A. The quality thresholds are as follows:
<2.6 = Bad (displayed in Red)
Voice & Video dashboard
65
>=2.6 to <3.1 = Poor (displayed in Orange) >=3.1 to <3.6 = Fair (displayed in Yellow) >=3.6 = Good (displayed in Green)
Media flows with unsupported codecs are not included in the display since we cannot obtain MOS values for these calls. Additionally, the display reflects that same data present in the Calls and Media views, and therefore is affected by the 2000 call limit.
Call Quality: This display shows a line graph of the quality for each codec in use over time. You can right-click inside the display to select a Line or Line/Points graph.
MOS scores are used for the quality measurement. Voice media shall be scored with MOSCQ, video media with MOS-V, and audio media with MOS-A. The quality for a time period shall be the average of the MOS scores for all open media flows for that time period. In addition, this graph will only display MOS scores for supported codecs as unsupported codecs do not provide MOS measurements.
Call Volume: This display shows a graph of open calls (per codec) over time for voice and video calls. This graph reflects all calls from the Calls and Media view, and unlike the other graphs in the dashboard, the Call Volume graph includes data for calls using unsupported codecs. You can right-click inside the display to select an Area, Line, or Line/ Points graph. Call Utilization: This display shows a graph of overall network utilization compared to network utilization by VoIP protocols. You can right-click inside the display to select an Area, Line, or Line/Points graph.
This graph displays two legends: Network Utilization and Call Utilization. Utilization values are displayed in Mbits/second. The VoIP utilization shall be the total utilization for all VoIP packets (i.e., signaling, media RTP/RTCP, and unsupported codecs). Tip Several of the displays inside the Voice & Video dashboard support tooltips. Hover over the display to view a tooltip with additional information.
Apdex dashboard
The Apdex dashboard provides a visual display of the data in the Application view. The screenshot below displays individual application Apdex scores corresponding to the ratings in the Apdex column of the Application view. Apdex ratings are also displayed in the gauge and table representing each application.
66 Apdex dashboard
OmniPeek User Guide Sort Descending Sort Ascending Display Applications Sort By Expand All Gauges Collapse All
The parts of the Apdex dashboard are described below.
Sort By: Use the drop-down list to choose how to sort the Apdex display. Sort Ascending: Sort the display in ascending order. Sort Descending: Sort the display in descending order. Display Applications: Displays the selected number of Top applications in the display. You can also choose a refresh interval from the drop-down list. Expand All: Expand the display to show all of the details. Collapse All: Collapse the display to show the minimum details. Gauges: The dial on the gauge shows the number and color associated with the Apdex score and rating:
Apdex dashboard
67
Blue: Excellent application response time (.94 - 1.00) Green: Good application response time (.85 - .93) Yellow: Fair application response time (.70 - .84) Red: Poor application response time (.50 - .69) Gray: Unacceptable application response time (0 - .49)
Tip You can click the gauge to display the Application view and the specific details for this application.
Apdex Score: This score represents user satisfaction with application performance as a score from 0.00 (unacceptable) to 1.00 (excellent). Apdex Rating: This rating is the verbal correlate to the numerical score (Unacceptable, Poor, Fair, Good, Excellent). Apdex Sample Count: This count displays the number of Apdex tasks that have completed
for this application.

Flows Analyzed: This count displays the number of flows that have been analyzed for this
application.
Expert Event Count: This count displays the total number of expert events that have been identified by the Expert EventFinder. Expert Max. Event Severity: This displays the maximum level of event severity identified
for this application.

Expert >> Application >> [Application Name]: Click this link (or click the gauge) to display the Application view and the specific details for this application. See Expert Application
view on page 181.
Calculating the Apdex score

The Apdex score is based on task duration relative to the user-defined threshold duration (in brackets), which is set in the Expert EventFinder window. See Expert EventFinder on page 189. To set Apdex threshold duration: 1. Click the EventFinder Settings button in the Expert view toolbar. 2. Expand the expert events under Application and select an Apdex related event. 3. Set the Apdex Threshold Duration to the desired number of seconds.
68 Apdex dashboard
OmniPeek User Guide
Note A single Apdex threshold duration value is applied to all of the Apdex related events. 4. Click OK. To import or export user-defined Apdex threshold duration values: 1. Open the Expert EventFinder window. See Expert EventFinder on page 189. 2. Click the Import and Export buttons in the EventFinder window. Apdex threshold duration values are automatically saved with the Expert EventFinder settings. Note When the Apdex column is exported to a text file, it contains the Apdex formatting as specified in the Apdex standard: 0.89 [4.0]*. The bracketed number is the Apdex threshold duration. The asterisk, if present, indicates a small sample size (fewer than 100 samples).
Calculating the Apdex score
69
Compass dashboard
The Compass dashboard is available from OmniPeek capture windows only, and is an easyto-use network monitoring tool for both wired and wireless networks. It is an interactive forensics dashboard that displays network utilization over time, top protocols, top flows, and top nodes. You can view these statistics from a real-time capture occurring on an OmniPeek network analyzer, from a single supported capture file, or from multiple capture files (*.pkt, *.pcap, *.wpz). With its unique ability to aggregate traffic from multiple wireless channels or wired segments, the Compass dashboard provides network engineers with more visibility and insight into their networks.
Network Utilization Graphs
Top Protocols
Top Flows
Top Nodes
The parts of the Compass dashboard are described below.
Network Utilization Graphs: This displays two interactive timeline graphs that allow you to select and display a range of data. See Network utilization graphs on page 71.
70 Compass dashboard
OmniPeek User Guide
Top Protocols: This displays the top protocol statistics for the selected area in the
utilization graphs at the top of the dashboard. See Top protocols on page 76.
Top Flows: This displays the top flow statistics for the selected area in the utilization graphs at the top of the dashboard. See Top nodes on page 81. Top Nodes: This displays the top node statistics for the selected area in the utilization
graphs at the top of the dashboard. See Top flows on page 79. Tip You can use the vertical and horizontal splitters located between the displays to resize the displays.
Network utilization graphs

The network utilization graphs in the Compass dashboard display two interactive timeline graphs that allow you to zoom into any specific area of interest. You can narrow the selected time range so that granularity is between milliseconds, seconds, minutes, hours, days, and weeks (the time range adjusts accordingly depending on how large of a capture needs to be displayed). As you change the selected time range, the statistics change accordingly to reflect the new period. The network utilization graphs consists of a top (larger) and bottom timeline graph. The top graph displays utilization over a selected time range, while the bottom graph displays utilization over the total time period. Tip For best results, it is recommended to zoom in on a selected time range until you can see the details of the area of interest. For network utilization graphs that have a duration of more than one hour, to see one second granularity for any portion of the graphs, select a period of time less than one hour, save the dashboard to a new project, and then open the project. The parts of the network utilization graphs are described below:
71
Chapter 4: Dashboards Select All Zoom In Save current view to a Report File Zoom Out Add Files Filter TX/RX Legend Event Types
Top Graph Pause/Play Units
Graph Types
Event Markers Bottom Graph
Time Range Indicator Slider Control
Scroll Bar Slider Control
The parts of the network utilization graphs are described below:
Top graph: Displays network utilization as a bar, area, line, or dot graph over a selected time range. Drag left or right inside the graph to select and display a specific time range (you can also use the bottom graph to select the time range). The selected data is then reflected in the bottom graph, and in the Top Protocols, Top Flows, and Top Nodes displays at the bottom. Mouse over a data point to see details about that point in time. Use your scroll wheel to narrow or widen the selection. Right-click inside the graph to see a list of additional commands/features. You can also double-click inside the graph to go back to the most recent selection.
Bottom graph: Displays network utilization as an area graph over the total time period. When starting a real-time capture, the bottom graph is not displayed until approximately one minute after starting the capture. You can also press M to toggle displaying the bottom graph. Use both the slider controls and scroll bar to select a specific time range. The data for the selected time range is then reflected in the top graph, and in the Top Protocols, Top Flows, and Top Nodes displays at the bottom.
OmniPeek User Guide
Time Range indicator: The time range indicator below the X axis of the top graph indicates the start date and time, stop date and time, and duration of the currently selected time range. The avg. is the amount of time for each data point in the graph and is automatically adjusted based on the duration of the selected time range. Slider controls: The two slider controls allow you to widen and narrow the time range selected in the bottom graph. In a real-time capture, if the right side slider control is pushed all the way to the right edge of the bottom graph, new data is displayed as it becomes available. As new data appears from the right, older data is removed from the left, maintaining the duration of the selected time range. If the right side slider control is moved left, away from the right edge, then the selected time range is not changed; however, new data is still added to the bottom graph.
Scroll bar: The scroll bar allows you to scroll through the time range in the bottom graph. Pause/Play (real-time capture only): Toggles between updating and not updating the graphs in real time. Units drop-down list: Allows you to display the Y axis in the top graph, bar graphs, pie graphs, bottom graph, legend, and list views in: Bits, Bytes, Mbits, Gbits, Packets, Average 1-Way Latency, Worst 1-Way Latency, Average 2-Way Latency, Worst 2-Way Latency, or Signal (signal strength for wireless data). For more information on 1-Way and 2-Way latency, see Measuring latency on page 75. Graph type: Displays the top graph as a bar, area, line, or dot graph. Each item graphed in dot mode will cycle through the following shapes: circle, square, diamond, triangle, and plus sign (in this order).
Tip Pressing the Ctrl key while selecting a graph type allows you to effectively keep the graph type and data currently displayed, while changing the graph type for the next selected item. For example, if the Compass display is currently an area graph, you can display the current area graph and also a dot graph for a selected protocol. Simply press the Ctrl key while selecting the dot graph type, and then select the desired protocol from one of the protocol displays.
Event type: Displays Expert events (Informational, Minor, Major, or Severe) occurring on the network as colored event markers below the X axis. The color of the marker matches the colored event type. The number of events is displayed next to the colored event type. If there are more than 5000 events, Compass will not show any events. Compass only shows the events if there are 5000 or fewer events in the selected area. You must select a smaller window to view the events if more than 5000 are in the selected area (or choose fewer event types).
73
Informational events: Click the blue informational event type icon to toggle the display of informational events. Minor events: Click the green informational event type icon to toggle the display of minor events. Major events: Click the yellow informational event type icon to toggle the display of major events. Severe events: Click the red informational event type icon to toggle the display of severe events.
Add files (multiple file Compass dashboard only): Opens the Add File(s) to Compass
project dialog.
Save current view to a report file: Saves the data currently displayed inside a Compass dashboard to an HTML report that can be viewed from inside a browser window, or to a PDF file. See Save Compass dashboard as a report on page 89. Select all: Selects the entire time range (you can also double-click inside the top graph to select the entire time range). You can also press A to also select all. Zoom In: For selected time ranges with 10 units or less, Zoom In is enabled and allows you to narrow the selected time range so that you can increase granularity between milliseconds, seconds, minutes, hours, days, and weeks (the time range adjusts accordingly depending on how large of a capture needs to be displayed). For example, if the graph is in seconds with a one second average, and the time range is 10 seconds or less, you can zoom into milliseconds with a one millisecond average; or, if the graph is in hours with more than a one hour average, and the time range is 10 days or less, you can zoom into hours with a one hour average. Zoom Out: Brings you back out of the previous Zoom In selection. Filter: Filters selected protocol, flow, and node statistics from the buffer, and from the time range currently selected in the Graph views. The selected protocol, flow, and node statistics are selected from any of the Top Protocols, Top Flows, or Top Nodes views. If multiple items are selected in the Top Protocols, Top Flows, or Top Nodes views, Compass performs an OR filter between them. TX/RX: Enables or disables graphing of both the inbound and outbound utilization values for the selected protocols or nodes. The outbound values appear as a slightly lighter color than the inbound values in both the graphs view and legend. TX/RX is not available for any of the four latency modes. Legend: Displays a legend (which is hidden by default) of the graphed items. Once visible, the legend values can be displayed as averages or totals for the selected time range. Use the check boxes to show or hide entries from the graphs.
OmniPeek User Guide
Filtering related protocols, flows, and nodes

From the network utilization graphs, you can use the filter feature to filter statistics so that only statistics from selected protocols, flows, and nodes are displayed inside the graphs. To filter protocols, flows, and nodes: 1. Select the protocols, flows, or nodes you would like to filter from any of the views for the Top Protocols, Top Flows, or Top Nodes displays. 2. Right-click inside the network utilization graphs and select Filter, or simply click the Filter icon (binoculars) at the top of the graphs. The selected protocols, flows, and nodes are then displayed inside the graphs.
Measuring latency
You can select 1-way and 2-way latency settings from the Units drop-down list. Here are descriptions of 1-way and 2-way latency in Compass: 1-way latency
1-way latency is the delta time between the same packet on different segments of the network. 1-way latency can be performed on a single capture file, or a compass database, on a capture window with packets in it, but not on a real-time capture. 1-way latency is measured for each interval of time (e.g., 1 second, 10 seconds, 20 seconds, etc.). Average 1-way latency is the average of latency values across an interval of time. Worst 1-way latency is the worst latency value for each interval of time. 1-way latency calculations include a synchronization offset calculation similar to OmniPeek MSA 1-way latency is measured in seconds, and the granularity is microseconds.
2-way latency 2-way latency is only calculated for TCP flows. All other flows will show 2-way latency as 0. 2-way network latency is the delta time between a request packet from the client, and a response packet from the server received by the client. 2-way application latency is the delta time between a request packet from the client, and a response packet with data from the server received by the client.
75
2-way latency is measured for each interval of time (e.g., 1 second, 10 seconds, 20 seconds, etc.) 2-way latency is measured in seconds. The granularity is microseconds.
Top protocols
Top Protocols in the Compass dashboard displays the top protocol statistics for the selected area in the network utilization graphs. You can view the top protocols in a list view, pie chart, or bar chart by selecting the appropriate tab. The list view, pie chart, and bar chart are always in sync. Enabling an item in one of the views will be reflected in all of the other views.
The names and colors of the protocols are specified in an xml filed called pspecs.xml. Customizing the names and colors of the protocols can be done by editing the pspecs.xml file. Deeper analysis of protocols can also be developed by making extensions to the pspecs.xml file. Documentation about the format of the pspecs.xml file can be found on the WildPackets MyPeek website.
List View Pie Chart Bar Chart Protocols
List View: Displays the top protocols as a list view. Pie Chart: Displays the top protocols as a pie chart. Bar Chart: Displays the top protocols as a bar chart. Protocols: Displays the number of protocols over the selected time range.
OmniPeek User Guide
Top protocols list view

In the list view, the Protocol, Packets, Bytes, and Description are displayed. Click a column header to sort protocols in ascending or descending order. The columns that are displayed vary, depending on the unit selected. Use the check boxes to enable or disable graphing of a specific protocol in the network utilization graphs above. Right clicking inside the list view allows you to clear all check boxes. Additionally, enabling a check box of a top ten protocol explodes the protocol from the top protocols pie chart, and also highlights the same protocol in the protocols bar chart.
Top protocols pie chart

In the pie chart view, the top 10 protocols are displayed, with all other protocols grouped as Others. Clicking a slice inside a pie chart lets you enable or disable graphing of a specific protocol in the network utilization graphs above. Additionally, clicking a slice explodes the protocol from the pie chart. Mouse over a slice to see details about a specific protocol. Select or clear the Others check box to show or hide Others from the display.
Top protocols
77
Top protocols bar chart

In the bar chart view, the top 10 protocols are displayed, with all other protocols grouped as Others. Clicking a bar inside a bar chart lets you enable or disable graphing of a specific protocol in the network utilization graphs above. Mouse over a bar to see details about a specific protocol. Select or clear the Others check box to show or hide Others from the display.
OmniPeek User Guide
Top flows
Top flows in the Compass dashboard displays the top flow statistics for the selected area in the
network utilization graphs. Only TCP, UDP, and ICMP flows (IPv6 flows are not supported in Compass) are displayed. You can view the top flows in a list view, pie chart, or bar chart by selecting the appropriate tab. The list view, pie chart, and bar chart are always in sync. Enabling an item in one of the views will be reflected in all of the other views.
List View Pie Chart Bar Chart Flows
List View: Displays the top flows as a list view. Pie Chart: Displays the top flows as a pie chart. Bar Chart: Displays the top flows as a bar chart. Flows: Displays the number of flows over the selected time range.
Top flows list view

In the top flows list view, the Client Address, Client Port, Server Address, Server Port, Packets, and Bytes are displayed for the top flows. Click a column header to sort flows in ascending or descending order. The columns that are displayed vary, depending on the unit selected. Use the check boxes to enable or disable graphing of a specific flow in the network utilization graphs above. Right clicking inside the list view allows you to clear all check boxes. Additionally, enabling a check box of a top ten flow explodes the flow from the top flows pie chart, and also highlights the same flow in the flows bar chart.
Top flows
79
Top flows pie chart

In the pie chart view, the top 10 flows are displayed, with all other flows grouped as Others. Clicking a slice inside a pie chart lets you enable or disable graphing of a specific flow in the network utilization graphs above. Additionally, clicking a slice explodes the flow from the pie chart. Mouse over a slice to see details about a specific flow. Select or clear the Others check box to show or hide Others from the display.
Top flows bar chart

In the bar chart view, the top 10 flows are displayed, with all other flows grouped as Others. Clicking a bar inside a bar chart lets you enable or disable graphing of a specific flow in the 80 Compass dashboard
OmniPeek User Guide
network utilization graphs above. Mouse over a bar to see details about a specific flow. Select or clear the Others check box to show or hide Others from the display.
Top nodes
Top Nodes in the Compass dashboard displays the top node statistics for the selected area in
the network utilization graphs. You can view the top nodes in a list view, pie chart, or bar chart by selecting the appropriate tab. The list view, pie chart, and bar chart are always in sync. Enabling an item in one of the views will be reflected in all of the other views. The names and colors of the nodes comes from entries found in the name table. If an entry is not found for a flow, then a color is chosen and the IP address is used as the name. If the node is not an IP address, then the MAC address is used as the name.
Top nodes
81
Chapter 4: Dashboards List View Pie Chart Bar Chart
Nodes
List View: Displays the top nodes as a list view. Pie Chart: Displays the top nodes as a pie chart. Bar Chart: Displays the top nodes as a bar chart. Nodes: Displays the number of nodes over the selected time range.
Top nodes list view

In the top nodes list view, the Name, MAC address, Packets, and Bytes are displayed for the top nodes. Click a column header to sort nodes in ascending or descending order. The columns that are displayed vary, depending on the unit selected. Use the check boxes to enable or disable graphing of a specific node in the network utilization graphs above. Right clicking inside the list view allows you to clear all check boxes. Additionally, enabling a check box of a top ten node explodes the node from the top nodes pie chart, and also highlights the same node in the nodes bar chart.
OmniPeek User Guide
Top nodes pie chart

In the pie chart view, the top 10 nodes are displayed, with all other nodes grouped as Others. Clicking a slice inside a pie chart lets you enable or disable graphing of a specific node in the network utilization graphs above. Additionally, clicking a slice explodes the node from the pie chart. Mouse over a slice to see details about a specific node. Select or clear the Others check box to show or hide Others from the display.
Top nodes bar chart

In the bar chart view, the top 10 nodes are displayed, with all other nodes grouped as Others. Clicking a bar inside a bar chart lets you enable or disable graphing of a specific node in the
Top nodes
83
network utilization graphs above. Mouse over a bar to see details about a specific node. Select or clear the Others check box to show or hide Others from the display.
Viewing a real-time capture Compass dashboard

Viewing a real-time capture Compass dashboard allows you to display network utilization, top protocols, top flows, and top nodes statistics real-time from any capture currently capturing data in OmniPeek. Note Compass only reports statistics based upon the latest 24 hours of captureearlier data is removed. To view a real-time capture Compass dashboard: 1. Create and start a new capture as you normally would in OmniPeek. See Creating an OmniPeek capture window on page 30 and Creating an OmniEngine capture window on page 31. 2. Click the Compass dashboard. Note Like all analysis, viewing a real-time capture Compass dashboard will have an impact on performance, and should be considered when capturing high volumes of traffic. The exact impact on performance greatly depends on the hardware and software configuration of the computer OmniPeek is running on.
OmniPeek User Guide
Viewing a single file Compass dashboard

Viewing a single file Compass dashboard allows you to display network utilization, top protocols, top flows, and top nodes statistics from a single capture file. Any capture file format supported in OmniPeek can be viewed in the Compass dashboard. See Save file formats on page 105 for a list of supported capture file formats. To view a single file Compass dashboard: 1. Choose File > Open and open a valid capture file. 2. Click the Compass dashboard. The capture file is immediately analyzed and the statistics are displayed in the dashboard.
Viewing a multiple file Compass dashboard

Viewing a multiple file Compass dashboard allows you to aggregate and display statistics from any number of capture files (*.pkt, *.apc, *.pcap, and *.wpz) that have accumulated data over a reasonable period of time. To view a multiple file Compass dashboard, you must first create (or select) a capture that has a Compass adapter configured as the capture adapter. To view a multiple file Compass dashboard: 1. Create a new capture as you normally would in OmniPeek. See Creating an OmniPeek capture window on page 30 and Creating an OmniEngine capture window on page 31. The General options of the Capture Options dialog appears.
Note The Continuous capture and Buffer size options in the Capture Options dialog used to create the Compass project are of particular importance. If Continuous capture is not enabled and 85
Viewing a single file Compass dashboard
the number of packets loaded is larger than will fit into the capture buffer (defined by Buffer
size), then when the capture buffer is full, the loading will stop.
If Continuous capture is enabled and the number of packets loaded is larger than will fit into the capture buffer, then when the capture buffer is full, the loading will continue, and the capture will continue cycling packets through the buffer. In this case, the buffer will not contain all of the packets, but the statistics in all of the views will represent all of the packets loaded. 2. Select a Compass adapter as the capture adapter: a. Click the Adapter options of the Capture Options dialog.
b. Click New Adapter below the Module: Compass Adapter entry. c. Click OK. The Open or create a packet project dialog appears. 3. Enter a name for the project and click Save. The Compass Project Settings dialog appears.
OmniPeek User Guide
4. Configure the dialog:
Media Type: Sets the type of network traffic to add to the project. Select either Wired or Wireless. Snapshot Interval: Sets the granularity of the project. Select either Seconds or Minutes. Seconds should be selected when greater levels of details are required for shorter periods of time. Seconds should not be chosen for periods of time longer than a day. Minutes should be chosen for longer periods of time. In this scenario, a
minutes project can be used to visualize network traffic for longer periods of time, and from that a shorter time range can be selected, saved as packets, and opened as a single file. 5. Click OK. The Add file(s) to Compass project dialog appears.
Viewing a multiple file Compass dashboard
87
6. Select the capture files (*.pkt, *.apc, *.pcap, and *.wpz) to add to the project and click Open. A new OmniPeek capture window appears already opened to the Compass dashboard. Note The files you add to the project should be from approximately the same time period. Once added to the project, the location of each file should not be changed. Additional files can be added by clicking the Add File(s) control in the network utilization graphs views.
7. Initially, there are no packets loaded in the capture buffer. Select the time range, protocols, flows, and nodes that you wish to analyze and process, and click Load Packets. 8. Repeat step 7, to analyze other time ranges, protocols, flows, and nodes. You will prompted to save changes to your previous capture.
Compass viewing tips

Here are some useful tips when viewing the Compass dashboard:
Use the following keyboard shortcuts to navigate inside the network utilization graphs:
OmniPeek User Guide
Press the Left arrow key to move the graph one unit to the left. Press the Right arrow key to move the graph one unit to the right. Press the Home key to move the graph all the way to the left. Press the End key to move the graph all the way to the right. Press the A to select the entire graph (same as Select All).
When viewing Event types and markers: Hovering over an event marker displays the event message in a tooltip, and also displays the related flow in the network utilization graph. Clicking an event marker selects and displays the related flow in the network utilization graph. Double-clicking an event marker selects the packet in the packets list in OmniPeek. If there are more than 1000 events that you want to display, Compass does not display any events. Compass only shows the events if there are 1000 or fewer events in the selected area.
You may only select a maximum combination of 10 statistic items (protocols, flows, or nodes) at one time.
Save Compass dashboard as a report

The data currently displayed inside a Compass dashboard can be saved as either an HTML report that can be viewed from inside a browser window, or a PDF file. To save the dashboard as a report: 1. Click the Save current view to an HTML report button above the network utilization graphs. The Save Report dialog appears.
Save Compass dashboard as a report
89
2. Select the report type, enter a report title, select the report folder, and then click Save. If you are saving the dashboard as an HTML report, the report is first saved as an HTML file (*.htm), and then the HTML file is automatically displayed inside a browser window. All files (e.g., HTML, graphics and database file) associated with the report are also saved to the report folder. The name of the *.htm file is the same name as the report title (invalid characters are replaced by an underscore _). If you are saving the dashboard as a PDF report, the report is first saved as an PDF file (*.pdf ), and then the PDF file is automatically displayed inside an Acrobat reader window. The name of the *.pdf file is the same name as the report title (invalid characters are replaced by an underscore _). Note Any selected protocols, flows, and nodes from any of the protocols, flows, and nodes displays are graphed in the report. If a protocols, flows, or nodes list view is currently displayed in the dashboard, then that data appears as a pie chart in the report. For protocols, flows, and nodes, a pie chart is displayed in the report if the pie chart or list view is visible. If a bar chart is visible, a bar chart will be displayed in the report.
OmniPeek User Guide
Using the Compass dashboard in monitor mode

You can also use the Compass dashboard in monitor mode to monitor the top protocols, top flows, and top nodes traffic on the network. This involves creating an advanced filter using the Compass Adapter analysis module as the filter. Since no packets are actually being captured and saved while in monitor mode, using the Compass dashboard in this manner is an efficient way to monitor the top protocols, top flows, and top nodes traffic real-time. To use the Compass dashboard in monitor mode: 1. Create a new capture as you normally would in OmniPeek. See Creating an OmniPeek capture window on page 30 and Creating an OmniEngine capture window on page 31. 2. Click the Filters options in the Capture Options dialog. 3. Click the Insert button. The Insert Filter dialog appears.
Using the Compass dashboard in monitor mode
91
4. Select Advanced in the Type list. The Advanced view of the Insert Filter dialog appears. The dialog displays a green icon representing a network adapter.
Advanced
5. Enter a descriptive filter name (e.g., Compass Monitor Mode). 6. Click And> and select Analysis Module. The Analysis Module Filter dialog appears.
7. Select Compass Adapter from the list and click OK. 8. From the Capture Options dialog, select the Filters options and select the newly created filter for the Compass adapter. 9. Click OK to close the Capture Options dialog. A new capture window appears. 10. Click the Compass dashboard, and then click Start Capture to start monitoring using the Compass filter.
CHAPTER 5 Viewing and Decoding Packets

In this chapter:
About packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Capturing packets into a capture window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Viewing captured packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Applying decryption in the Packets view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Applying SSL decryption to packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Saving captured packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Printing packet lists and packet decode windows. . . . . . . . . . . . . . . . . . . . . . . 107 Decoding packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Showing data offsets and mask information . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Choosing a decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Applying decryption from the packet decode window. . . . . . . . . . . . . . . . . . . . 116 Decode reassembled PDU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Using thread intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
93
Chapter 5: Viewing and Decoding Packets
About packets
Packets, the units of data carried on the network, are the basis for all higher level network analysis. When troubleshooting network problems, it is important to be able to drill down into the packets themselves by looking at their individual decodes as well as use the packets captured into the buffer as the foundation for expert and statistical analysis. The Packets view of a capture window is where you can view information about the individual packets transmitted on your network. Packets can be captured in multiple configurable capture windows, each with its own selected adapter, its own dedicated capture buffer, and its own settings for filters, triggers, and statistics output. With OmniPeek, you can have capture windows for capturing packets locally from OmniPeek, and remotely from an OmniEngine. The number of capture windows you can have open at one time is only limited by the amount of available memory.
Capturing packets into a capture window

To capture packets: 1. Create a new capture as defined in Creating an OmniPeek capture window on page 30. 2. Select the Packets view of the capture window.
94 About packets
OmniPeek User Guide Start/Stop Capture
3. Click Start Capture to begin capturing packets. The Start Capture button changes to the Stop Capture button and packets begin populating the capture window.
Capturing packets into a capture window
95
Tip You can right-click a column heading to hide or display column headings. See Packet list columns on page 466 for a list of available columns. 4. Click Stop Capture when you want to stop capturing packets. You have various options for saving captured packets. See Saving captured packets on page 105. Review the rest of this user guide to learn how you can use the data from the captured packets to analyze your network. Tip To resume capturing from where you left off, hold down the Shift key and click the Start Capture button. To empty the capture buffer and start a new capture, simply click the Start Capture button again.
96 Capturing packets into a capture window
OmniPeek User Guide
OmniEngines Captures tab

The Captures tab in the OmniEngines window is where you create and manage the captures taking place on a particular OmniEngine.
Start Capture Delete Insert Stop Capture Capture Options Refresh
The Captures tab lists all the currently defined captures for a particular OmniEngine, along with summary information about each OmniEngine. Right-click any column header to display a list of available columns to display. See OmniEngine capture tab columns on page 491 for a description of the available columns. The clickable buttons in the toolbar of the OmniEngines window are described below:
Insert: Creates a new OmniEngine capture window.
Important! When you create an OmniEngine capture, that capture continues to exist on the OmniEngine until you delete it, regardless of whether its OmniEngine capture window is open. By contrast, when you close an OmniPeek console capture window, the capture is stopped.
Delete: Deletes the selected capture. Start Capture: Starts capturing packets for the selected capture. This button also works
when the OmniEngine capture window is open. When an OmniEngine capture window is open in OmniPeek, you can also click the Start Capture button of the window to start capture.
Stop Capture: Stops capturing packets for the selected captures. This icon also works when the OmniEngine capture window is open. When an OmniEngine capture window is open in OmniPeek, you can also click the Stop Capture button of the window to stop capture.
OmniEngines Captures tab
97
Capture Options: Displays the Capture Options dialog for the selected capture. Refresh: Updates the information in the Captures view, retrieving the most current information from an OmniEngine. You can also set an automatic refresh interval by selecting an interval from the drop-down list to the right of the Refresh button.
Important! Users that do not have permission to create or modify OmniEngine capture windows will find features grayed out, missing, or will receive an error message indicating the task is not allowed. For details, see the OmniEngine Getting Started Guide or the online help in the Omni Management Console application.
Viewing captured packets

The Packets view displays details about each packet, including information provided by the Expert function and Analysis Modules. You can show or hide the Decode and Hex panes of the packets view to see a decode, as well as the raw hexadecimal and ASCII values of the selected packet.
Navigating the Packets view

The Packets view can display any combination of the Packet List, Decode, Hex, and ASCII panes. The toolbar lets you show or hide the panes. The filter bar lets you create a wide variety of advanced filters quickly and directly from the capture window. See Creating filters with the filter bar on page 135.
98 Viewing captured packets
OmniPeek User Guide Packet List Toolbar Filter Bar
Decode
Hex / ASCII
The buttons in the Packets view toolbar are described here:
Decode Previous: Decodes the previous packet. Decode Next: Decodes the next packet. Show Packet List: Shows or hides the Packet List view. Show Decode View: Shows or hides the Decode view. Show Hex View: Shows or hides the Hex view. Toggle Orientation: Changes the orientation of how the Packet List, Decode, and Hex views are displayed.
Navigating the Packets view
99
Zoom Pane: Shows only the view of what is currently selected. Auto Scroll: Enables or disables the scrolling of packets when packets are being captured. Alternatively, you can press CTRL+K to enable or disable scrolling. Display Filter: Displays in the packet list only the packets that pass (match) the
selected filter. Choosing All shows all packets. This functionality is available with capture windows; however, it cannot be used while capturing (you must stop the capture first). See Display filters on page 122. Tip Hold down the Shift key to show only those packets which do NOT match the selected filter for the entire buffer. Hold down the Ctrl key to apply the filter for only those packets which are currently visible. Hold down both Shift and Ctrl together to hide any currently visible packets which do not match the selected filter.
Make Filter: Opens the Insert Filter dialog to create a filter based on the selected
packet.
Insert Into Name Table: Opens a dialog to add the selected packet into the Name Table. From the dialog, you can also select Node type icons that will appear to the left of the selected packet. For example, Workstation, Server, Router, or Access Point. Resolve Names: Checks the DNS server for a name to match the supplied address. Edit Note: Opens the Edit Note dialog to add a note to the selected packet. Delete Note: Deletes any note entered for the selected packet. Properties: Displays properties for the capture window. A note can be added to the properties of the capture window.
The Packets view panes are described here:
Packet List: This pane displays information about each packet in a table with userconfigurable columns. Right-click a column head to show or hide other available columns. You can also drag column heads to other positions within the table. See Packet list columns on page 466. You can also right-click a packet for additional options, including Select Related Packets. See Selecting related packets on page 146.
Important! By selecting, hiding, and unhiding packets in the Packet List, you can force a recalculation of statistics in other views of the window, based only on the packets that remain visible. See also Copying selected packets to a new window on page 145.
100 Viewing captured packets
OmniPeek User Guide
Decode: This pane displays detailed information about the selected packet. Click a detail
and the corresponding hexadecimal values and ASCII characters are automatically highlighted in the Hex pane. See Decoding packets on page 108 for more information. Tip You can double-click a packet to display its Decode window.
Hex: This pane displays the selected packet as raw hexadecimal values and ASCII characters. Click a hexadecimal value or an ASCII character and the corresponding details are automatically highlighted in the Decode pane.
Customizing packet views

You can customize the way packets are displayed in the Packets view by using the Packet List Options dialog. To open the Packet List Options dialog:
Click a column head in the Packet List pane. The Packet List Options dialog appears.
Columns: This tab lets you show, hide, and rearrange columns. See Packet list columns on page 466 for descriptions. Flags: This tab lets you define both the flag character and the color associated with flagged packets. Format: This tab lets you set the timestamp format (in milliseconds, microseconds,
nanoseconds), as well as configure properties for how packets are displayed.
Customizing packet views
101
Note Click the Help button in each of these tabs to learn more about specific options and settings.
Adding notes to packets

You can add descriptive notes to individual packets. The notes are saved whenever the capture window is saved to any of the native OmniPeek capture file formats. See Save file formats on page 105. Note Adding notes to packets is not supported in the Packets view of an OmniEngine capture window. To add a note: 1. Select the packet in either the Packets List or in its own Packet Decode window. 2. Click the Edit Note button. The Edit Note dialog appears.
3. Type the text for the note and click OK. Tip You can also make a note on the contents of a capture window by entering text in the Properties dialog. Click the Properties button to open the Properties dialog.
Applying decryption in the Packets view

You can apply a particular key set to decrypt all or some of the encrypted wireless packets in a capture window. An encrypted packet appears in the Packets view with a W in the Flag column and 802.11 TKIP Data, 802.11 Encrypted Data, or 802.11 WEP Data in the Protocols column. 102 Applying decryption in the Packets view
OmniPeek User Guide
To apply decryption in the packets tab: 1. Choose Tools > Decrypt WLAN Packets. The Decrypt WLAN Packets dialog appears.
2. Select All packets, Selected packets only, or those packets in the current window which are Encrypted only. Your key set will be applied to this selection of packets. Important! If you are using a WPA/WPA2 key set, you must select All packets to ensure the inclusion of the four-way handshake authentication that established the PTK (Pairwise transient key) and GTK (Group transient key) used to encrypt the target packets. 3. Select an existing key set under Use key set or browse to open the Key Set options to create a new key set. 4. When you have made your selections, click OK to apply the chosen key set to the chosen packets. A new capture window opens containing the results of the decryption. This new window has the name of the original target window, with the string - Decrypted appended to it. Note An 802.11 key set cannot be changed while capture is under way. A new key set will not be applied until a capture is stopped and a new capture is created.
Applying SSL decryption to packets

You can apply a particular key set to decrypt SSL encrypted packets in a capture window. There are four pieces of information that are needed to decrypt SSL encrypted packets:
The IP address of the server The port being used for SSL data The file path to a PEM file (*.pem) that contains the servers SSL private key The password to decrypt the private key if it is encrypted
Applying SSL decryption to packets
103
Note Ciphersuites that use Diffie Hellman or Ephemereal Diffie Hellman are not currently supported. To apply or edit SSL decryption in the packets tab: 1. Make sure the capture is stopped (for example, click Stop Capture from the capture window). 2. Choose Tools > Decrypt SSL Packets. The SSL Server Keys dialog appears.
3. Click Insert or Edit. The Add Server Key dialog appears.
IP Address: The IP address of the server.
SSL Port: The port being used for SSL data. The default is port 443, which is the port commonly used for SSL decryption.
Private Key File: The file (*.pem) that contains the servers SSL private key. Key File Password: The password (if needed) to decrypt the private key if it is
encrypted. 104 Applying SSL decryption to packets
OmniPeek User Guide
5. Click OK. A copy of the capture window is made and each packet in the new capture window that matches the criteria specified goes through the SSL decryption process. If the SSL packet has encrypted data, the data is decrypted and the output is placed in the packet. Note If an encrypted packet is received before the packet processor has generated the decryption keys, the packet will not be decrypted.
Saving captured packets

You can save captured packets to a supported file format for later examination and comparison. You can choose to save all packets currently visible in the active window, or just the packets currently selected. To save all packets: 1. Choose File > Save All Packets. 2. Select the file format and click Save. (See Save file formats on page 105 for a description of the available file formats.) To save selected packets: 1. Select the desired packets. 2. Choose File > Save Selected Packets. 3. Select the file format and click Save. (See Save file formats on page 105 for a description of the available file formats.)
Save file formats

You can save packets to the supported file formats below.
Capture file formats

The capture file formats are:
WildPackets Packet File (*.pkt)The packets are saved to a WildPackets packet file
format, with a *.pkt extension.

WildPackets Packet File (compressed) (*.wpz)The packets are saved to a compressed
WildPackets packet file format used to save disk space. This file format uses a *.wpz extension.
Saving captured packets
105
WildPackets Wireless Packet File (*.apc)The packets are saved to a WildPackets wireless
packet file format, with a *.apc extension.

WildPackets Classic Packet File (*.pkt)The packets are saved to a WildPackes packet file
format compatible with older WildPackets programs, such as older versions of AiroPeek, EtherPeek SE (5.0 and earlier), EtherPeek NX (2.0 and earlier). This file format uses a *.pkt extension. Note The compressed Packet File format (*.wpz) is not supported for automatic file creation during packet capture. When a capture window is set to Continuous Capture, Save to Disk, only the uncompressed format (*.pkt) can be used to automatically save the resulting files. The compressed format can be used normally to Save All Packets or Save Selected Packets from any capture window.
Other file formats

In addition to the capture file formats above, you can save packets from any media type to the following formats.
Packet List (Tab delimited, UTF-8) (*.txt)The packets and columns displayed in the Packet List are saved to a tab-delimited text file in UTF-8 encoding. Packet List (Comma delimited, ASCII) (*.csv)The packets and columns displayed in the Packet List are saved to a comma-delimited text file in ASCII encoding. Decoded Packets (*.txt)The packets are decoded and saved to a plain text file. Decoded Packets (*.rtf)The packets are decoded and saved to an RTF file that preserves the text formatting and page layout of the same packets in the Decode view of the Packet Decode window. Decoded Packets (*.htm)The packets are decoded and saved to an HTML file that preserves the text formatting and page layout of the same packets in the Decode view of the Packet Decode window. Libpcap (Wireshark, AirPcap, Tcpdump, etc.) (*.pcap, *.pcap.gz, *.cap, *.dmp, *.appcap, *.appcapz)The packets are saved to a binary format compatible with many free/open
source programs such as tcpdump and Ethereal.
PcapNG (Wireshark, etc.) (*.pcapng, *.pcapng.gz, *.ntar, *.ntar.gz)The packets are saved
to a binary format compatible with many free/open source programs such as tcpdump and Ethereal.
NG Sniffer DOS file (*.enc)The packets are saved as a Sniffer trace file in DOS format. This file format uses a *.enc extension.
106 Saving captured packets
OmniPeek User Guide
Raw Packet Data (*.txt)The packets are saved to a file as raw text. The file includes raw hexadecimal and ASCII data, 16 bytes per line, hex on the left, ASCII on the right. TCP/UDP/RTP Data File (*.*)The part of the packet that is after the end of the TCP,
UDP, or RTP header, up to and including the data at the offset specified by the Total Length field of the IP header is saved to a filename and file format that you must specify. This part of the packet typically contains the application data for file transfers. If multiple packets are selected, their contents are saved as one continuous file, in packet number order.
Deleting all packets

You can only choose to delete all packets, and not a selected group of packets. Note There is no direct command to delete packets from an OmniEngine capture window. If you restart a capture in the OmniEngine capture window, all existing packets are deleted first. Capture files already saved to disk are not affected. Capture files saved to disk can be managed through the Files tab of the OmniEngines window. To delete all packets, including any hidden packets:
Choose Edit > Clear All Packets.
Tip You can choose Copy Selected Packets to New Window from the context menu in the Packets view to isolate a selected group of packets. See Copying selected packets to a new window on page 145.
Printing packet lists and packet decode windows

You have several options for printing packets from a capture window. To print the packets currently displayed in the Packets view:
Choose File > Print.
Note For more on selecting, hiding, and unhiding packets, see Chapter 7, Post-capture Analysis. To print selected packets as decoded packets:
Choose File > Print Selected Packets.
Deleting all packets
107
The packets are decoded and saved to an RTF file that preserves the text formatting and page layout of the same packets in the Decode view of the Packet Decode window. Tip You can also save the packets as decoded packets in an RTF or HTML format, and then print them from another application that can read and print those file types. This alternative preserves the formatting of the Packet Decode window and allows multiple packets to be printed on individual pages.
Decoding packets
When troubleshooting your network or tracking down a security breach, analyzing the details of a packet can be very useful. You can view the details of a packet by opening the packet in a Packet Decode window. The Packet Decode window makes packet headers readable and understandable. To open a packet in a Packet Decode window:
Double-click a packet in the Packet List.
108 Decoding packets
OmniPeek User Guide
Window Header
Decode
Hex
ASCII
Tip You can open Packet Decode windows for up to 10 packets at oncesimply select multiple packets in the active Packet List and press Enter.
Window header
The window header has the following parts:
Window header
109
Chapter 5: Viewing and Decoding Packets Display Filter Make Filter Insert Into Name Table Resolve Names Title Bar
Toggle Orientation Show Hex View Show Decode View
Decode Previous Decode Next
Zoom Pane
Edit Note Delete Note
Decode Previous: Displays the previous packet (you can also press F7 to display the
previous packet)
Decode Next: Displays the next packet (you can also press F8 to display the next packet) Show Decode View: Shows or hides the Decode view Show Hex View: Shows or hides the Hex view Toggle Orientation: Changes the orientation of both the Decode and Hex view, when both
views are displayed.

Zoom Pane: Displays only the currently active view (the view with the current active
highlight). Click this icon again to toggle back to the previous view.
Display Filter: Displays packets based on the selected filter. Make Filter: Makes a filter based on the selected item in the Decode view. See Creating filters with the Make Filter command on page 128. Insert Into Name Table: Opens the Edit Name dialog. See Adding entries to the name table
on page 364.
Resolve Names: Substitutes name for logical address. See OmniPeek name resolution on
page 368.
Title bar: Displays the capture window name and the number of the packet. Edit Note: Inserts a note. See Adding notes to packets on page 102. Delete Note: Deletes an existing note for the packet. See Adding notes to packets on page
102.
110 Decoding packets
OmniPeek User Guide
Decode view
The Decode view displays decoded packet data in byte order from top to bottom. Click the minus or plus signs to collapse or expand the view of any header section. In collapsed mode, you get a summary of the layer. The Packet Info (in green) at the top is generated automatically by OmniPeek. The following table lists the parameters that may appear in Packet Info.
Parameter Flags Status
Description Denotes the flag of a packet. Packets can be flagged, based on their match with a variety of conditions. Flags vary from one network medium to another. Indicates any one of several conditions, including that the packet was truncated or sliced. Shows a value of 0x00 when the packet does not have any of these other conditions. The number of bytes that the card retrieved off the network for this packet, including all header information and FCS. When Slice Length appears, it indicates the number of bytes of the packet which were captured. This is shown only if packet slicing was used on a packet, or if data was truncated because it was unavailable. The time the packet was received. The data rate at which the body of the 802.11 WLAN packet was transmitted. The 802.11 WLAN channel number and radio frequency at which the packet was transmitted. The signal strength of the transmission in which the 802.11 WLAN packet was received, expressed as the RSSI normalized to a percentage. The signal strength of the transmission in which the 802.11 WLAN packet was received, expressed in dBm (decibel-milliWatts). If the packet was captured on an adapter that does not report values for signal level in dBm, this item will not be shown.
Packet Length Slice Length Timestamp Data Rate Channel Signal Level Signal dBm
Decode view
111
Parameter Noise Level Noise dBm
Description The noise level reported in the receipt of this 802.11 WLAN packet, expressed as a percentage. If the packet was captured on an adapter that does not report values for noise, this will show as 0%. The noise level reported in the receipt of this 802.11 WLAN packet, expressed in dBm (decibel milliWatts). If the packet was captured on an adapter that does not report values for noise in dBm, this item will not be shown.
Note OmniPeek decodes hundreds of network, transport, application and device control protocols, displaying both the commands and their meaning. When the data portion of the packet is listed toward the end of the Decode view simply as data, OmniPeek has reached a layer of the packet that it cannot decode with the current or default decoder. For details about selecting an alternative decoder, see Choosing a decoder on page 113. If you are writing your own protocols and wish to write your own decoders, see Writing your own decoders on page 116.
Hex and ASCII views

The Hex view displays the actual packet contents as raw hexadecimal values and its ASCII (or EBCDIC) equivalent. Color coding is used to link the Decode view with the Hex view for both Hex and its ASCII equivalent. The Hex and ASCII views are in turn linked to the color of the protocol shown in the Protocols column of the Packet List. When you highlight a section of the Decode view, the corresponding portion of the hex data and the ASCII data in the Hex view is shown in gray. Conversely, if you highlight a section in the Hex view, the corresponding portion of the Decode view is also highlighted. You can choose display options by right-clicking inside the Hex and ASCII views and selecting from the following options:
Copy: Copies the selected data in the Decode, Hex, and ASCII views. If a data field is selected in the Decode view, the data field and value is copied. If a Hex value is selected in the Hex view, the data field and value is copied. If an ASCII value is selected in the ACSCII view, the ASCII value is copied. ASCII: Displays the text portion of the Hex view as ASCII EBCDIC: Displays the text portion of the Hex view as EBCDIC Decimal Offsets: Displays the offsets to the left of the hexadecimal values as decimal
values 112 Decoding packets
OmniPeek User Guide
Hexadecimal Offsets: Displays the offsets to the left of the hexadecimal values as
hexadecimal values
Show Offsets: Hides or displays the Offset values Show Hex: Hides or displays the hexadecimal values Show ASCII: Hides or displays the ASCII values Show Colors: Hides or displays color Bytes Per Row: Controls the width of the Hex view
Important! Many protocols, especially the older Internet protocols such as HTTP, POP3, FTP, Telnet, and others transmit packet data in plain ASCII text. To prevent unauthorized access to this data, controlling access to OmniPeek should be a normal part of your security routine.
Showing data offsets and mask information

Offsets are a measure of location within a packet, counted as the distance in bytes from the first byte of the packet. The offset of the first byte is 0, that of the second byte is 1, and so on. The mask is a mathematical way of defining a particular bit or bits within a byte. The offset and mask information is especially useful when developing protocols, constructing filters, and in a variety of other detailed packet analysis tasks. To hide or display offsets in the Decode view:
Right-click inside the Decode view and select Show Offsets.
Tip You can quickly create a filter that matches the value found at a particular point in a packet, directly from the Decode view. Highlight the item you wish to match and click the Make Filter button, or right-click and choose Make Filter.
Choosing a decoder
Decoders provide the instructions required to display packet contents, based on the type of protocols used. For certain packets, you can choose a decoder directly from the Decode view. Choosing a decoder is particularly useful in environments where new protocols are under development, or where TCP or UDP applications are using non-standard ports. When the Choose Decoder option is available for a certain packet, the Choose Decoder option is available when you right-click inside the Decode view.
Showing data offsets and mask information
113
To choose a decoder for the packet: 1. Right-click inside the Decode view and select Choose Decoder. The Select Decoder dialog appears with a list of decoders available for the packet.
2. Select the desired decoder and click Use Decoder. The decoder you choose will be used for the current packet and all subsequent packets of the same type. Important! To restore the default, select Default Decoder from the Select Decoder window.
Note WildPackets provides decoders for hundreds of protocols and subprotocols (see http:// www.wildpackets.com/support). The modules that decode packets are installed in the Decodes folder where the program is installed.
Line decoders
The Select Decoder window shows a context-sensitive list of decoders which can be applied to the current packet. If the packet contains TCP or UDP, this list will include generic line
114 Choosing a decoder
OmniPeek User Guide
decoders such as Display Number Of Bytes. The following table lists the available line decoders and their behavior.
Decoder Default Decoder Shows When you select this decoder, the program returns to its default behavior when decoding packets of the current type. Use this selection to stop using any decoder previously selected in the Select Decoder window and restore the program's ability to choose its own decoder. This line decoder displays only the number of bytes in the UDP or TCP payload of the packet. This line decoder displays 0x00 through 0x1F as their code equivalents (0x00, for example, is <NULL>), displays (nonextended) ASCII characters as ASCII text, and displays any other values as a dot (.). In contrast, the ASCII part of the Hex view displays the extended ASCII character set (which includes accented characters, for example) and displays all non-ASCII values as dots. Display All Lines This line decoder displays only (non-extended) ASCII characters, plus line feed / carriage return (0x0D and 0x0A). When it encounters the first value outside this set, the decoder stops and displays the number of bytes remaining in the payload portion of the UDP or TCP packet. This line decoder searches for lines containing semi-colons (;). Each line with a semi-colon is split in two, with the part before the semi-colon treated as the label and the part to the right of the semi-colon treated as the data. Lines containing text without semi-colons are treated as for the Display All Lines decoder above. That is, non-extended ASCII text is displayed until the first non-ASCII character is reached. The decoder then displays the number of bytes remaining in the payload of the TCP or UDP packet. This decoder is particularly useful for scanning through the Label;Value pairs found in HTTP and FTP packets, particularly when the transactions are taking place on ports other than the default port 80 (HTTP) or port 21 (FTP).
Display Number Of Bytes Display Text And Binary
Display Fields And Lines
Line decoders
115
Decoder Display Text Lines Only
Shows This line decoder displays all the non-extended ASCII characters, plus line feeds and carriage returns (LF/CR), ignoring all other characters. If no LF/CR is encountered, lines are automatically wrapped at 120 characters. This line decoder searches for lines of non-extended ASCII text containing the period character(.). It displays each such line. All other lines are ignored. This decoder is useful when scanning for file names and IP names and addresses that use dotted notation.
Display Dotted Names Only
Writing your own decoders

If you find proprietary protocols on your network for which WildPackets does not supply decoders, or if you are developing your own protocols, you may want to write your own decoders. See http://mypeek.wildpackets.com for information on writing decoders.
Applying decryption from the packet decode window

You can decrypt WPA or WEP-encrypted packets directly from the Packet Decode window. To decrypt a WPA or WEP-encrypted packet: 1. Right-click inside the Packet Decode window and select Apply Decryption. The Decrypt WLAN Packets dialog appears. 2. Follow the steps in Applying decryption in the Packets view on page 102.
Decode reassembled PDU

The PDU is the Protocol Data Unit: the payload of a network application packet. When a web page, for example, is sent over the Internet, the page is broken into convenient sized pieces and transmitted in a series of packets. You can attempt to locate all of the other pieces of this page, decode them, and present the results in a single temporary Packet Decode window. Note Decode reassembled PDU is not supported from an OmniEngine. To decode and reassemble a PDU:
Right-click a packet containing one of the fragments of the web page and choose Decode
Reassembled PDU
116 Applying decryption from the packet decode window
OmniPeek User Guide
An attempt is made to locate all of the other pieces of the page and decode them; the results are presented in a single temporary Packet Decode window. The title bar of the window shows a packet number, followed by (Reassembled PDU). The packet number is the packet identified as the one containing the first part of the PDU. Tip You can choose to save or print the decode of the individual Packet Decode window containing the reassembled PDU (choose Save Packet, or Print from the File menu).
Note The Packet Decode window containing the decoded reassembled PDU is temporary. If you close the window without saving, the information is discarded. In any case, creating a reassembled PDU does not change the contents of any of the packets in the capture window.
Using thread intelligence

The information required to decode packets into their protocol components are usually contained within the packet. For some protocols, however, the required information is not contained in the packet itself, but in a previous packet exchanged between the same two nodes. Thread intelligence is supported for some protocols, including Simple Network Management Protocol (SNMP), Simple Mail Transfer Protocol (SMTP), AppleTalk Session Protocol (ASP), Printer Access Protocol (PAP), NetWare Core Protocol (NCP), and others. Note Thread intelligence is not supported from an OmniEngine.
Req thread
Resp When two or more packets are related to the same session in one of these protocols, the packets can be pre-decoded in the order in which they arrived, allowing the Request/Response pairs to be connected. This provides a richer set of decode information than would otherwise be available. This relationship between packets is called a thread, and the pre-decoding done to establish the thread is called making a thread. Making threads operates on packets still in the buffer.
Using thread intelligence
117
Threads are used to keep track of the protocol type in decoding Response packets associated with a particular Request. There are two ways to employ thread intelligence:
The Select Related Packets commandto find possibly related threads. The Make Threads commandto automatically create any threads from packets near the selected packets.
To make threads: 1. Select the packets in the Packet List where you believe threads may exist (you can use Ctrl + A to select all packets). 2. Right-click and choose Make Threads.
Manually selecting further decode options

If you view the Request packet first, OmniPeek keeps track of the thread when you open the corresponding Response packets. However, if you view a Response packet before you have opened a preceding Request, no thread will have been started, and OmniPeek displays a question mark (?) instead of the protocol type at the top of the Packet Decode window. You can click the Choose Decoder icon (a question mark) if it is available for the packet to open the Select Decoder dialog, and then manually choose the decoder to use. As an alternative to manually selecting options for further decoding packets, you can instruct OmniPeek to make threads before opening any packets. This ensures that the threads will exist even if you open a Response packet first. To make threads in the background before you open packets, use the Select Related Packets command or Select All Packets (either from the Edit menu or from the context menu), and then choose the Make Threads command from the context menu (right-click). You can then view packets in any order.
118 Using thread intelligence
CHAPTER 6 Creating and Using Filters

In this chapter:
About filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Viewing filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Display filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Enabling a filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Creating filters with the Make Filter command . . . . . . . . . . . . . . . . . . . . . . . . . 128 Creating a simple filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Creating an advanced filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Creating a new capture window based on a filter . . . . . . . . . . . . . . . . . . . . . . . 132 Filter types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Creating filters with the filter bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Editing filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Duplicating filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Saving and loading filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
119
Chapter 6: Creating and Using Filters
About filters
Filters are used to isolate particular types of traffic on the network for troubleshooting, analysis, and diagnostics. If you want to check a problem between two particular devices, perhaps a computer and a printer, address filters can capture just the traffic between these two devices. If you are having a problem with a particular function on your network, a protocol filter can help you locate traffic related to that particular function. Filters work by testing packets against the criteria specified in the filter. If the contents or attributes of a packet match the criteria specified in a filter, the packet is said to match the filter. You can build filters to test for just about anything found in a packet: addresses, protocols, sub-protocols, ports, error conditions, and more.
Viewing filters
The Filters window in OmniPeek displays all of the filters available in the program. These include pre-defined filters as well as any that you have modified or created. The Filters tab of a connected OmniEngine displays all of the filters available for that particular OmniEngine.
OmniPeek filters window

To open the OmniPeek Filters window, do one of the following:
Click the Filters button in the main program window toolbar. Choose View > Filters.
120 About filters
OmniPeek User Guide Filters Toolbar
The clickable buttons in the filters toolbar are described below:
Insert: Click this button to create a new simple or advanced filter. Edit: Click this button to make to changes to the selected filter. Duplicate: Click this button to make a copy of the selected filter. Delete: Click this button to delete the selected filter. Add Group: Click this button to open the Add Group dialog in which you can create a new group folder. You can drag filters into and out of group folders. Import: Click this button to import filters from a filter file with an *.flt extension. Export: Click this button to save all filters to a filter file with an *.flt extension.
OmniEngine filters tab

The Filters tab in the OmniEngines window displays the filters available for a particular OmniEngine. To view filters available for an OmniEngine:
Select the Settings tab, and then Filters tab of a connected OmniEngine. (See Connecting to an OmniEngine on page 14.)
OmniEngine filters tab
121
Chapter 6: Creating and Using Filters Filters Tab Refresh
In addition to the same buttons available from the OmniPeek Filters window, the OmniEngine Filters tab also allows you to refresh the list of filters.
Display filters
The capture filters described in this chapter restrict the flow of packets into the buffer of a capture window. Display Filters, by contrast, are used simply to isolate and view a particular subset of the captured packets in a capture window or in a saved capture file.
122 Display filters
OmniPeek User Guide Display Filters
To view a subset of captured packets: 1. Click the Stop Capture button in the Packets view of a capture window. 2. Click the Display Filter button in the toolbar. A drop-down list appears. 3. Select the filter you wish to use. The capture window now displays only packets passing (matching) this filter. Tip Hold down the Shift key to show only those packets which do NOT match the selected filter for the entire buffer. Hold down the Ctrl key to apply the filter for only those packets which are currently visible. Hold down both Shift and Ctrl together to hide any currently visible packets which do not match the selected filter.
Display filters
123
Display filters are available from active capture windows only after the capture is stopped. They are always available from saved capture files. For more information, see Opening saved capture files on page 50.
Enabling a filter
In addition to the filters that you can create, numerous pre-defined filters are included with the application. You can enable one or more of these filters in the following ways:
From the Filters options of the Capture Options dialog, allowing you to control which packets are added to the capture buffer of a new capture window From the Filters view of a capture window, allowing you to control which packets are added to the capture buffer of an existing capture window
Enabling filters from the Capture Options dialog

To enable filters from the OmniPeek Capture Options dialog: 1. Do one of the following to open the Capture Options dialog:
Click the New Capture button on the Start Page Choose File > New Capture Choose Capture > Capture Options from an open capture window
2. Click the Filters options.
124 Enabling a filter
OmniPeek User Guide
3. Select the filters that you want to enable. 4. Click OK. 5. Click the Start Capture button to begin capturing packets. Any packets that match the filters that are enabled are placed into the capture buffer. Note Alternately, you can choose to place the packets that do not match the filter in the capture buffer by clicking the Reject Matching button. To enable filters from the OmniEngine Capture Options dialog: 1. Do one of the following to open the Capture Options dialog:
Click the Insert button in the Captures view of the OmniEngines window Select an existing capture in the Captures view of the OmniEngines window and click the Capture Options button.
2. Click the Filters options.
3. Select the filters that you want to enable. 4. Click OK. A capture window appears. 5. Click the Start Capture button to begin capturing packets. Any packets that match the filters that are enabled are placed into the capture buffer.
Enabling filters from the Capture Options dialog
125
Note Alternately, you can choose to place the packets that do not match the filter in the capture buffer by clicking the Reject Matching button.
Enabling filters from the capture window

To enable filters from an OmniPeek capture window: 1. Click the Filters view of a capture window.
Reject Matching Start/Stop Capture
2. Select the filters that you want to enable.
126 Enabling a filter
OmniPeek User Guide
3. Click the Start Capture button to begin capturing packets. Any packets that match the filters that are enabled are placed into the capture buffer. Note Alternately, you can choose to place the packets that do not match the filter in the capture buffer by clicking the Reject Matching button. To enable filters from an OmniEngine capture window: 1. Click the Filters view of a capture window.
Reject Matching Click here to send changes Start/Stop Capture
2. Select the filters that you want to enable. 3. Click the Start Capture button to begin capturing packets. Any packets that match the filters that are enabled are placed into the capture buffer. 4. Send your selections to the OmniEngine by clicking the bar below the toolbar buttons labeled Click here to send changes.
Enabling filters from the capture window
127
Creating filters with the Make Filter command

You can use the Make Filter command to easily create a filter based on the address, protocol, and port settings of an existing packet, node, protocol, conversation, or packet decode. To create a filter with the Make Filter command: 1. Right-click a packet, node, protocol, conversation, or packet decode item from one of the views available in a capture window and choose Make Filter. The Insert Filter dialog appears with the Address, Protocol, and Port settings already configured with information obtained from the selected packet. 2. Enter a new name in the Filter text box and make any additional changes. Note Click the Help button on the dialog to learn about the available options and settings. 3. Click OK. The new filter is now available whenever a list of available filters is displayed. Note For an OmniEngine, you will need to send your selections to the OmniEngine by clicking the bar below the toolbar buttons labeled Click here to send changes. 4. To enable the new filter in your capture window, click the Filters view and select the check box of the new filter. The filter is applied immediately, even if a capture is already under way.
Creating a simple filter

You can create a simple filter by manually entering the parameters for the filter that you want to create. Unlike creating a filter using the Make Filter command, you will have to manually define one or more of the parameters (address, protocol, and port settings) for the filter you want to create. To create a simple filter by defining an address and protocol: 1. Do one of the following to display the list of filters:
Choose View > Filters Click the Filters view in an open capture window Click the Filters options from the OmniEngine Capture Options dialog
2. Click the Insert button. The Insert / Edit Filter dialog appears.
128 Creating filters with the Make Filter command
OmniPeek User Guide
3. Complete the dialog and click OK. The new filter is now available whenever a list of available filters is displayed. Note Click the Help button on the dialog to learn about the available options and settings.
Creating an advanced filter

You can create an advanced filter that allows you to create very precise conditions in a single filter. To create an advanced filter, you must define one or more parameters (or filter nodes) joined with logical AND, logical OR, or logical NOT statements. To create an advanced filter: 1. Do one of the following to display the list of filters:
Choose View > Filters Click the Filters view in an open capture window Click the Filters options in the OmniEngine Capture Options dialog
2. Click the Insert button. The Insert Filter dialog appears. 3. Select Advanced in the Type list. The Advanced view of the Insert Filter dialog appears. The dialog displays a green icon representing a network adapter.
Creating an advanced filter
129
Advanced
4. Define one or more filter nodes by clicking the And> or Or> buttons and selecting and defining one of the available filter parameters. See also Filter types on page 133 for a description of the available filter types. Each time you create a filter node, a dialog appears that lets you define the filter node. Each filter node added to the filter is displayed showing the relationship between the network adapter and the capture buffer (represented by a computer icon). See also Logical AND, OR, and NOT operators in advanced filters on page 130. Note Click the Help button on the dialog to learn more about the available options and settings. 5. Complete the rest of the Insert Filter dialog and click OK. The new filter is now available whenever a list of available filters is displayed. Note For an OmniEngine, you will need to send your selections to the OmniEngine by clicking the bar below the toolbar buttons labeled Click here to send changes.
Logical AND, OR, and NOT operators in advanced filters

The Advanced view of the Edit Filter or Insert Filter dialog shows the parameters defined for the Advanced filter:
The small green icon represents a network adapter.
130 Creating an advanced filter
OmniPeek User Guide
A rectangular box represents each parameter (or filter node) that is added to the filter. If the Show node details check box is selected, the details of the filter node are also displayed inside the box. Arrows indicate the flow of data through each filter node. A single arrow between filter nodes indicates an AND condition; any packets that match the filter node are allowed to pass through to the next stage. Multiple arrows between filter nodes indicate an OR condition (filter nodes stacked on top of each also indicates an OR condition); packets that match any of the filter nodes defined by the OR condition are allowed to pass through to the next stage. A red circle with an X inside a filter node indicates a NOT condition. All packets that do not match the filter node are allowed to pass through to the next stage. The small computer icon represents a capture buffer. Right-click a filter node for the following options:
And: Adds a new AND filter node to the currently selected node. Click the sub-menu
arrow to the select the type of filter node.

Or: Adds a new OR filter node to the currently selected node. Click the sub-menu arrow to the select the type of filter node. Not: Toggles the NOT condition of the currently selected node. A red circle with an
X inside the filter node indicates a NOT condition. All packets that do not match the filter node are allowed to pass through to the next stage.
Comment: Displays a dialog that allows you to add/edit a comment for the currently
selected
Swap And/Or: Toggles the currently selected node between an AND or OR filter
node.
Cut: Copies the currently selected node to the clipboard, and deletes the node. Copy: Copies the currently selected node to the clipboard. Copy Tree: Copies the currently selected node, and that nodes AND and OR nodes to the clipboard. Paste And: Pastes the nodes currently in the clipboard as an AND node to the
currently selected node.

Past Or: Pastes the nodes currently in the clipboard as an OR node to the currently
selected node.
Delete: Deletes the selected node.
Right-click inside a blank area of the dialog for the following options:
Logical AND, OR, and NOT operators in advanced filters
131
Show Details: Toggles displaying filter node details. Show Comment in Title: Toggles displaying comments added to filter nodes. Zoom In: Zooms in on the display. Zoom Out: Zooms out on the display. Zoom Reset: Resets the display.
Tip You can also zoom in and out of the display by pressing the CTRL key while using your mouses scroll wheel. An example of an Advanced filter is shown below:
AND AND NOT OR
Network Adapter
Capture Buffer
The dialog displays a green icon representing a network adapter. Each parameter (or filter node) added to the filter is displayed showing the relationship between the network adapter and the capture buffer (represented by a computer icon).
Creating a new capture window based on a filter

You can create a new capture window that uses the filter that you are defining in the Insert / Edit Filter dialog as the only enabled filter. This allows you to quickly capture packets based solely on the new filter that you are creating.
132 Creating a new capture window based on a filter
OmniPeek User Guide
To create a new capture window based on a filter: 1. Do one of the following to display the list of filters:
Choose View > Filters Click the Filters view in an open capture window Click the Filters options from the OmniEngine Capture Options dialog
2. Click the Insert button. The Insert / Edit Filter dialog appears. 3. Create a simple or advanced filter. See Creating a simple filter on page 128 or Creating an advanced filter on page 129. 4. Click the New Capture button. The Capture Options dialog appears. Note In the Filters options of the Capture Options dialog, the filter you created in the Insert / Edit Filter dialog, is the only filter selected. 5. Complete the Capture Options dialog as you normally would. 6. Click OK.
Filter types
The following table contains the filter types available for creating simple and advanced filters.
Filter Type 802.11 Channel Direction Description Filters by channel, data rate, encryption state and more, based on information provided in the headers of 802.11 WLAN packets. Filters by OmniAdapter port. For WAN connections, allows you to match traffic bound in the to DTE direction (coming in from the WAN) or in the to DCE direction (going out onto the WAN).
Filter types
133
Filter Type Address
Description Filters by identity of the network node, either receiving or sending, for that packet. This can be a physical address, or a logical address under a particular protocol. You can use the asterisk * character as a wildcard when specifying addresses. The program will replace the asterisk with its most inclusive equivalent. Address filters support CIDR for the IP address space. You can use the /x designation to define a smaller range of addresses (Subnet) on which to filter. You can also use the /x designation to define a larger range of addresses (Supernet) on which to filter.
Protocol Port
Filters by protocol and sub-protocols. For example, FTP is a sub-protocol of TCP, which is itself a sub-protocol of IP. Filters by port (or socket) within a particular protocol. IP, FTP, and HTTP provide services at different ports or sockets on the server. The default port for Web traffic under TCP, for example, is port 80. OmniPeek assumes that sub-protocols are using the standard default ports (well known ports in TCP and UDP, for example), but you can also set filters to test explicitly for traffic to and/or from particular ports, or from a range of ports (e.g., 80-100). Filters by numerical value of a particular part of each packet (at a particular offset with a particular mask) for its relation (greater than, less than, equal to, and so forth) to the value you specify. Filters by the presence of a particular character string (ASCII. hexadecimal, EBCDIC format, or regular expression) in each packet. Can be constrained to search within a specified location for greater efficiency. Filters by the length of the packet and matches those within the range you set, specified in bytes. Filters by one or more of four error conditions: CRC errors, Frame Alignment errors, Runt packets, and Oversize packets. Packets handled by the specified Analysis Module will match the filter. Filters against a pcap-filter expression. A pcap-filter expression is made up using the guide found at http://www.manpagez.com/man/7/pcap-filter/.
Value
Pattern
Length Error Analysis Module Tcpdump
134 Filter types
OmniPeek User Guide
Creating filters with the filter bar

The Filter Bar allows you to create a variety of advanced filters quickly and directly in capture window views and in the OmniEngine Forensic Search dialog (see Navigating a capture window on page 46 and Performing a forensic search on an OmniEngine on page 153). The parts of the Filter Bar are described below.
Filter Bar text box
Filter button Apply button Hide/ Show options
Hide/Show options: Click these triangle icons to hide or show the Filter Bar in a capture
window.
Filter button: Click this button to display Filter Bar menu options.
Recent Filters: Select a recently defined filter from this list. Insert Filter: Select a filter from this list.
Creating filters with the filter bar
135
Insert Operator: Select an operator from this list: & (And), | (Or), ! (Not), () (Group) Insert Expression: Select a filter type expression from this list. Check Syntax: Select this option for a tooltip describing the syntax of your filter. For example, a correctly defined filter will display Filter OK in the tooltip. Help: Select this option to display information about how to use the filter bar.
Filter Bar text box: The filters, operators, and expressions chosen from the Filter button menu appear in this text box as you select them. Apply button: Click this button to apply your filter to the packets in the capture buffer of this capture window.
Using the filter bar

To create a filter with the filter bar: 1. Type the filter expression into the text box. To automatically populate the text box, click the Filter button at the far left of the Filter Bar and make your choices from the menu items described above: Recent Filters, Insert Filter, Insert Operator, Insert Expression. 2. Click the Apply button at the far right of the Filter Bar to enable the filter in the capture window. The Selection Results dialog appears. 3. Click Hide selected packets, Hide unselected packets, Copy selected packets to new window, or Close. For more information, see Hiding and unhiding packets on page 145 and Selecting related packets on page 146.
Filter bar syntax

This section defines and describes the WildPackets operators, filter types, and argument names used in creating OmniPeek Filter Bar filters.
syntax: exp [op exp]* Examples: SMB, smb | netbios, pspec(http) & (!pspec('802.3')) where:
op is an operator, one of: & (and) | (or) exp is an expression: (!exp), (exp), or keyword[(arglist)] keyword is either a filter type or named filter from the filter list
136 Creating filters with the filter bar
OmniPeek User Guide
arglist is a list of arguments: arg [, arg]* arg is an argument: [arg-name ':'] arg-value. The first part is optional for some filters where a default arg-name is assumed. arg-name is dependent on the filter type (see Filter type table) arg-value is a value or value list (comma separated) for the arg-name, value or 'value' (see Filter type table). If value has reserved characters (single-quote space comma) it must be quoted.
Filter type table

Note For filter types and arg-names: [] indicate optional arguments.
Filter type
addr
Description
Filter by address
Arguments
type: address type addr1: address [addr2: address] [dir: direction]) or address type: address ip address specifier list (no named arguments)
Argument description
address type = ip, ipv6, ipx, ethernet, wireless, appletalk, decnet, wan.dlci direction = 1to2, 2to1, or both (default)
Examples
addr(ip:'10.4.3.*') addr(ethernet:'3com:*.*.*') addr(type: ip, addr1: 10.4.3.1, addr2: 10.5.1.1, dir: 1to2)
ip
Filter by IP Address
ip(10.4.3.6) ip('10.4.3.*') ip('10.4.3.*', '192.168.*.*') ip('www.wildpackets.com') protocol type = protospec, Ethernet.Protocol, LSAP, SNAP, LAP, DDP, WAN.PPP, WAN.Frame.Relay protocol(protospec: http) protocol(protospec:1418) see also pspec
protocol
Filter by protocol
protocol type: protocol
pspec
Filter by protospec
protocol list (no named arguments)
pspec(http) pspec(HTTP) pspec(HTTP, 'NB Sess Init') pspec(1418, 6018)
Filter bar syntax
137
Filter type
port
Description
Filter by port
Arguments
[type: port type] [port1: port] [port2: port] [dir: direction]
port type = tcpudp (default), netware, atalk port = number or name table port specifier (port1 is default) direction = 1to2, 2to1, or both (default)
Examples
port(80) port(80, 8080) port(tcpudp: 80) port(port1: 80, port2: 1523, dir:1to2)
value
Filter on a value in the packet
'([s/u][n/b]off[8/16/32](offset) & mask) operator value' (no named arguments) off8, off16, off32, off64 soff8, soff16, soff32, soff64 snoff8, snoff16, snoff32, snoff64 sboff8, sboff16, sboff32, sboff64 uoff8, uoff16, uoff32, uoff64 unoff8, unoff16, unoff32, unoff64 uboff8, uboff16, uboff32, uboff64
s = signed compare u = unsigned compare (default) n = network byte order b = big endian order 8, 16, 32, 64 = bit size of the value in the packet offset = offset into the packet mask = value mask (e.g. 0xff, 0b11111111, 255) operator = comparison operator, < <= > >= == value = value to compare against (same format as mask)
value('off8(20) == 0x10') compares the 8 bits 20 bytes into the packet against the value 0x10 (16)
channel
Filter by channel number (wired only) Filter by wan attribute
num: number (default)
channel(2)
wan
dir: direction
direction = dte, dce
wan(dir: dte)
138 Creating filters with the filter bar
OmniPeek User Guide
Filter type
wireless
Description
Filter by wireless attribute
Arguments
(only one is required) media: media type channelband: band type channelnum: numeric value datarate: numeric value minsignal: numeric value maxsignal: numeric value mindbmsignal: numeric value maxdbmsignal: numeric value minnoise: numeric value maxnoise: numeric value mindbmnoise: numeric value maxdbmnoise: numeric value encrypted: boolean value decrypterr: boolean value bssid: bssid value search type:'search string' [case: boolean value]
media type = 802.11b, 802.11a, 802.11 (default) band type = a, b, bg, n, at (a turbo), gt (g turbo), sg (super g), s1 (licensed A 1MHz), s5 (licensed A 5MHz), s10 (licensed A 10MHz), s15 (licensed A 15MHz), s20 (licensed A 20MHz) boolean value = yes, no, true, false, on, off, 1, 0
Examples
wireless(media:'802.11b', channelnum: 1, encrypted: 1)
pattern
Filter by pattern
search type = ASCII (default), Unicode, Hex, RegEx, EBCDIC boolean value = yes, no, true, false, on, off, 1, 0 case on means to use a case sensitive match Either min or max is required, or a single numeric value for exact length matches
pattern(ascii: 'smb', case: off) pattern('SMB') pattern(hex: FF464D50)
length
Filter on a size of the packet
(only one is required) min: min length max: max length
length(64) length(min: 128) length(max: 256) length(min:128,max:256) plugin('FTP Analysis')
plugin
Filter by plugin
plug-in name (no named arguments) filter name (no named arguments) filter keyword is optional
filter
Filter using existing filter
filter('SMB') SMB
Editing filters
You can edit an existing filter from any dialog that displays a list of available filters (for example, the Filters view of a capture window or Filters options in the Capture Options dialog). To edit a filter: 1. From any dialog that displays a list of available filters, do any of the following to display the Edit Filter dialog:
Editing filters
139
Select the filter and click the Edit button on the toolbar. Right-click the filter and choose Edit. Double-click the filter.
Note The Edit Filter dialog is essentially identical to the Insert Filter dialog used to create a Simple or Advanced filter. 2. Make the desired edits in the Edit Filter dialog and click OK. Note Click the Help button on the dialog to learn about the available options and settings.
Duplicating filters
Duplicating a filter allows you to make a new filter based on an existing filter. Once a filter is duplicated, you can edit the duplicate with the settings required for the new filter. To duplicate a filter: 1. From any dialog that displays a list of available filters (for example, the Filters view of a capture window or Filters options in the Capture Options dialog), do any of the following to make a copy of the desired filter:
Select the filter and click the Duplicate button on the toolbar. Right-click the filter and choose Duplicate.
A copy of the filter is created in the list of available filters with the word copy appended to the end of the original filter name. 2. Edit the copy and save it under a new name. See Editing filters on page 139 for information on editing a filter.
Saving and loading filters

You can save and load filters. This allows you to create multiple sets of filters for different requirements. You can choose to save a whole set of filters or just a group of selected filters. All saved filter files have the *.flt file extension. To save the whole set of filters: 1. From any dialog that displays a list of available filters (for example, the Filters view of a capture window or Filters options in the Capture Options dialog), do any of the following to save all of the filters displayed in the list:
140 Duplicating filters
OmniPeek User Guide
Choose File > Save Filters. Click the Export button on the toolbar. Right-click any filter and choose Export.
The Save As dialog appears. 2. Choose a location and type a name for the filter file and click Save. To save a one or more selected filters: 1. From any window that displays a list of available filters, right-click one or more filters and choose Export Selected. 2. From the Save As dialog, choose a location and type a name for the filter file and click Save. To load a saved filter file: 1. From any window that displays a list of available filters, do any of the following to load a saved filter file:
Click the Import button on the toolbar. Right-click any filter and choose Import.
A dialog appears asking you to Delete all filters before importing. 2. Click Yes to delete all existing filters before importing the saved filter file; click No to keep all existing filters before importing the saved filter file. Note Imported filters are added to the existing list of available filters. Filters with the same name and parameters are ignored. Filters with the same name but different parameters are added to the list with copy added to their names. 3. From the Open dialog, select the saved filter file and click Open. The filters are added to the list of available filters.
Saving and loading filters
141
142 Saving and loading filters
CHAPTER 7 Post-capture Analysis

In this chapter:
About post-capture analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Saving packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Copying selected packets to a new window . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Hiding and unhiding packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Selecting related packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Finding strings in packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Selecting packets matching user-defined criteria . . . . . . . . . . . . . . . . . . . . . . . 150 Performing a forensic search on an OmniEngine . . . . . . . . . . . . . . . . . . . . . . . 153
143
Chapter 7: Post-capture Analysis
About post-capture analysis

Much of the work of troubleshooting problems on a network is a process of narrowing down the possibilities, examining first one set of clues and then another. OmniPeek provides a number of tools for selecting, grouping, and sorting packets by a variety of attributes to help the network engineer perform targeted analysis. The techniques for post-capture analysis are applied to packets that have already been captured and are in the buffer of a capture window. You can apply the techniques described here to select items in most views of a capture window. Tip Standard Windows selection techniques are available throughout OmniPeek. For example, hold down the Ctrl key when you click to select multiple items.
Network forensics
Depending on your OmniEngine, you can search data from one or more forensics captures by a selected time period, IP address, applied filter, and more:
If you have a standard OmniEngine (Windows or Linux), the Files and Forensics tab are available for forensic analysis. See Forensic search from the Files tab below and Forensic search from the Forensics tab on page 158. If you have a WildPackets TimeLine network recorder, the Forensics tab is available for forensic analysis. See Forensic search from the Forensics tab on page 158.
Saving packets
You can choose to save all packets currently visible, or just the selected packets in the capture window to a capture file. Note You can save packets in an OmniPeek capture window only when the capture is not currently running. In an OmniEngine capture window, you can save packets while the capture is currently capturing packets. When you save packets in an OmniEngine capture window, the packets are saved to a capture file on the OmniPeek computer. To save all packets: 1. Select the desired view to make it active. 2. Make sure the capture window is not currently capturing packets (click Stop Capture).
144 About post-capture analysis
OmniPeek User Guide
3. Choose File > Save All Packets (or right-click inside the capture window and select Save All Packets). 4. Enter a file name and select the file type. 5. Click Save. To save selected packets: 1. Select the desired packets in the capture window. 2. Choose File > Save Selected Packets (or right-click the selected packets and choose Save Selected Packets). 3. Enter a file name and select the file type. 4. Click Save.
Copying selected packets to a new window

You can copy selected packets into a new capture window. The packets are renumbered, but the original packet order is retained. To copy selected packets to a new window: 1. Select the desired packets in the capture window. 2. Choose Edit > Copy Selected Packets to New Window (or right-click the selected packets and choose Copy Selected Packets to New Window). A temporary capture window is created containing only the selected packets.
Hiding and unhiding packets

To reduce the number of visible packets in the Packets view of a capture window, you can hide packets from the view without actually deleting them from a capture window. Hide functions are disabled for capture windows when packet capture is currently under way. Hidden packets are not processed by Analysis Modules or used when calculating the various capture window statistics. Additionally, they are not printed when the contents of the window are printed, and are not saved when you choose Save All Packets from the File menu. They are, however, deleted when you select Clear All Packets from the Edit menu or press Ctrl + B. Hiding or Unhiding packets causes all packets in the capture window to be reprocessed by any enabled Analysis Modules and causes statistics to be recalculated based on the changed visible contents of the capture windows buffer.
Copying selected packets to a new window
145
Note The hide functions (choosing Hide Selected Packets, Hide Unselected Packets, or Unhide All Packets from the Edit menu) are not supported for an OmniEngine capture window. The packets from an OmniEngine capture window must first be brought into an OmniPeek capture window in order to use the hide functions. See Using hide and unhide on an OmniEngine on page 146. To use the hide and unhide functions:
To hide the selected packets, choose Edit > Hide Selected Packets or press Ctrl + H. To hide unselected packets, choose Edit > Hide Unselected Packets or press Ctrl + Shift + H. To restore all hidden packets to view, choose Edit > Unhide All Packets or press Ctrl + U. You can continue to add to the hidden packets, hiding some now and more later, but there is no way to selectively unhide.
Using hide and unhide on an OmniEngine

The hide functions (choosing Hide Selected Packets, Hide Unselected Packets, or Unhide All Packets from the Edit menu) are not supported directly from an OmniEngine capture window. You must first bring the packets into an OmniPeek capture window. There are several ways to do this:
Select the relevant packets in the OmniEngine capture window, then choose File > Save Selected Packets to save the packets to an OmniPeek capture file. Saving packets on page 144. Select the relevant packets in the OmniEngine capture window, then choose File > Copy Selected Packets to New Window to save the packets to an OmniPeek capture file. Copying selected packets to a new window on page 145. Make the Packets view of the OmniEngine capture window active, then choose File > Save All Packets to save the contents of the capture window buffer to an OmniPeek capture file. See Saving packets on page 144. From the Files tab of the OmniEngines window, transfer the remote packet file to the OmniPeek computer, then open the file in a capture window. For details, see Performing a forensic search on an OmniEngine on page 153.
Selecting related packets

To find packets that are like, or related to the packet or data item currently selected, you can use the Select Related Packets functions. The Select Related Packets functions offer a set
146 Selecting related packets
OmniPeek User Guide
of selection criteria based on the parameter you choose and on the values found in the currently selected item. It then tests all the visible packets in the Packets view of the capture window against those criteria and selects all of the packets that match the criteria. Tip In capture windows, you can use the Filter Bar to create a wide variety of advanced filters that allow you to quickly and directly select packets similar to using the Select Related Packets functions. See Creating filters with the filter bar on page 135. To select related packets: 1. Select the item(s) in the Packets, Expert, Nodes, Protocols, WLAN, or Peer Map views of a capture window. 2. Choose Edit > Select Related Packets (or right-click and choose Select Related Packets). 3. Select a choice from the submenu: Note The submenu is context-sensitive and only allows selections appropriate for the item you selected.
By Source: Selects packets matching the source address. By Destination: Selects packets matching the destination address. By Source and Destination: Selects packets matching both the source and destination
addresses.
By VLAN: Selects packets matching the VLAN (Virtual LAN). By Protocol: Selects packets matching the protocol. By Client: Unique to the Expert view, selects all packets to or from the address shown in the Client Addr column. By Server: Unique to the Expert view, selects all packets to or from the address shown in the Server Addr column. By Client and Server: Unique to the Expert view, selects all packets between the selected Client and Server addresses. By Port: Selects packets matching the port address. By Flow: Selects packets sent between two nodes (in either direction), using the matching protocol and port.
Selecting related packets
147
The Selection Results dialog appears, showing the number of packets selected that match the related packets.
4. Click one of the following on the dialog:
Hide selected packets: Click to hide all items that were found that do match the
related packets.
Hide unselected packets: Click to hide all items that were found that do not match
the related packets.

Copy selected packets to new window: Click to copy all items that were found that do match the related packets into a new capture window.
This creates a temporary capture window called [capture window name] - Selection, containing only the related packets. The packets are renumbered, but the original packet order is retained.
Close: Click to close the dialog. All items that were found that do match the related
packets remain highlighted in the capture window. Note To unhide packets, use Unhide All Packets from the Edit menu. You can also press Ctrl + U from the keyboard.
Finding strings in packets

You can search for string patterns found in the packet data of a capture window. To find string patterns: 1. Select the Packets view of a capture window. 2. Choose Edit > Find Pattern or press Ctrl + F. The Find Pattern dialog appears.
148 Finding strings in packets
OmniPeek User Guide
Find in: Select the location where you would like to search.
Packet ASCII data: Searches for a match with an ASCII string found anywhere in
the raw data of the packet.

Packet hex data: Searches for a match with a hex string found anywhere in the raw data of the packet. Packet list headers: Searches for a match with a string found in the packet list
headers; that is, with the text shown in the current set of columns in the Packet List pane of the Packets view for that packet.
Decoded text: Searches for a match with a string found in the text of the decoded
packet. This is like doing a text search in the Decode view portion of the text file which would be created by choosing Save Selected Packets as Text for the currently selected packets.
Packet notes: Searches for a match with a string found in any Note associated with any packet in the Packet List pane. This is like doing a search in the optional Notes column of the Packets view. Packet EBCDIC data: Searches for a match with an EBCDIC string found
anywhere in the raw data of the packet.

Find what: Type or select the string pattern you would like to find. Match case: Select this check box to match the string exactly as typed.
4. Click Find Next. The first packet matching the string will be highlighted in the Packets view. To find the next matching packet in the sequence, choose Edit > Find Next (or press F3). Tip The Find Pattern and Find Next commands search the packets in packet number order, starting from, but not including, the currently selected packet.
Finding strings in packets
149
Note The Find Pattern and Find Next commands are not supported from an OmniEngine capture window. In order to use these techniques, you must first save the packets to an OmniPeek capture file. See Using hide and unhide on an OmniEngine on page 146.
Selecting packets matching user-defined criteria

You can use the Select command and Select dialog to select captured packets based on various selection criteria. You can choose to select either all packets matching your criteria, or all packets not matching your criteria. Only the visible packets displayed in the active capture window can be selected. The selection criteria includes the following:
Packets matching one or more filters Packets containing a certain ASCII or hex string Packets that are of a certain length Packets that match a specific Analysis Module
Note In an OmniEngine capture window, the Select dialog selects all matching packets in the capture buffer resident on the OmniEngine.
Important! Packet slicing can affect the operation of some selection tools. When used from the Select dialog, filters, Analysis Modules and other selection tools read packet contents from the captured packets to determine protocols, addresses and related information. If the packet slice value was set in such a way as to discard some of the information these tools expect to find, they will not be able to identify packet attributes correctly. To use the Select dialog to select packets: 1. Choose Edit > Select Packets. The Select dialog appears.
150 Selecting packets matching user-defined criteria
OmniPeek User Guide
Matches one or more filters: Select this option to select packets that match one or
more filters, and then select which filters that you want to match in the filter box below this option. When multiple filters are enabled simultaneously, the result is the equivalent of a logical OR statement: a packet matching any one of the enabled filters will be considered a match.
Contains ASCII: Select this option to select packets that contain a specific ASCII string, and then enter the ASCII string in the box next to this option. Contains hex: Select this option to select packets that contain a specific hex value, and
then enter the hex value in the box next to this option. Note The Contains ASCII and Contains hex options search through the raw packet data, not the packet decode. In the raw packet data, ASCII text will only be present when the packet contains application data which uses that encoding, such as the body of an email message, a web page, and so forth. Packet headers, including source and destination addresses, are hexadecimal.
Length is between ____ and _____ bytes: Select this option to select packets that are of a certain length, and then type or enter the minimum and maximum number of bytes Analysis Module: Select this option to select packets that match an Analysis Module, and then select which Analysis Module that you want to match from the list.
Note When you open the Select dialog for an OmniEngine capture window, only the relevant Analysis Modules available on the OmniEngine will be shown. If you disabled Analysis
Selecting packets matching user-defined criteria
151
Modules for this OmniEngine capture window in the Analysis Options view of the remote Capture Options dialog, no packets will be selected when you choose the Analysis Modules option in the Select dialog.
Packet range: Select this option to select packets that are within a range of packets, and then enter the desired range. Packet time: Select this option to select packets that are within a specific time range,
and then specify the time range by selecting or entering both the starting and ending dates and times.
Match: Select this option to select packets that match your selection criteria. Do not match: Select this option to select packets that do not match your selection
criteria.
Replace: Select this option to display only the newly selected packets. Add to: Select this option to display any packets currently selected and the newly
selected packets.
Selected: Displays the number of packets selected. Select Packets: Click this button to select packets that match your selection criteria. Once you click this button, a Selection Results dialog appears noting how many packets were selected. You can then choose the option to Hide selected packets, Hide unselected packets, Copy selected packets to new window, or Close to simply close the dialog without further action.
3. Click the Select Packets button to perform the selection. The Selection Results dialog appears, showing the number of packets selected that match the selection criteria.
4. Click one of the following on the dialog:
Hide selected packets: Click to hide all items that were found that do match the
related packets. 152 Selecting packets matching user-defined criteria
OmniPeek User Guide
Hide unselected packets: Click to hide all items that were found that do not match
the related packets.

Copy selected packets to new window: Click to copy all items that were found that do match the related packets into a new capture window.
This creates a temporary capture window called [capture window name] - Selection, containing only the related packets. The packets are renumbered, but the original packet order is retained.
Close: Click to close the dialog. All items that were found that do match the related
packets remain highlighted in the capture window. Note To unhide packets, use Unhide All Packets from the Edit menu. You can also press Ctrl + U from the keyboard.
Performing a forensic search on an OmniEngine

Depending on your OmniEngine, you can perform forensic analysis from the Files or Forensics tab in the OmniEngines window:
If you have a standard OmniEngine (Windows or Linux), the Files and Forensics tab are available for forensic analysis. See Forensic search from the Files tab below and Forensic search from the Forensics tab on page 158. If you have a WildPackets TimeLine network recorder, the Forensics tab is available for forensic analysis. See Forensic search from the Forensics tab on page 158.
Note You can also perform forensic analysis directly from a Forensics Capture window. See Forensic search from the Forensics Capture window on page 168.
Forensic search from the Files tab

Using the Files tab and Forensic search dialog of an OmniEngine, you can search one or more OmniEngine capture files to sort through hours or even days worth of network traffic for specific data you wish to analyze further. A forensic search creates a new Forensic Search window which can be saved to the OmniPeek computer. Note The Files tab is not available from a WildPackets TimeLine network recorder.
Performing a forensic search on an OmniEngine
153
Important! One or more capture files saved to the OmniEngine computer are required before you can perform a forensic search. See OmniEngine capture files on page 51 and Forensics capture on an OmniEngine on page 55. To perform a forensic search from the Files tab: 1. From the OmniEngines window, select the Files tab of a connected OmniEngine.
Refresh Download Packets Upload Packets Forensic Search Delete
Capture Files
The parts of the Files tab are described here:
Capture files: Displays all of the OmniEngine capture files saved to the OmniEngine. Forensic search: Click the button to display the Forensic Search dialog where you
can adjust the forensic search settings. Click the small down arrow next to the button to display custom or pre-configured settings for performing a forensic search. You can change any option prior to clicking the Start button:
overview of the selected data in the capture session. 154 Performing a forensic search on an OmniEngine
OmniPeek User Guide
Download Packets: Click to copy the selected capture files to a location on your local
OmniPeek computer.
Upload Packets: Click to choose a packet file on your local OmniPeek computer and send it to the OmniEngine. The packet file then appears in the Files tab along with the capture file that had been already saved to the OmniEngine. Delete: Click to delete the selected files from the list of files. Refresh: Click to refresh the screen.
Tip Right-click inside the list of files for additional options for performing a forensic search, grouping files, uploading and downloading packets, deleting files, synchronizing files to the file system on the hard disk, and refreshing the display. 2. Select one or more capture files you wish to search. 3. Click the Forensic Search button (or click the small down arrow next to the button and select the type of forensic search you wish to perform). The Forensic Search dialog appears. Note Selecting one of the pre-defined types of forensic searches displays the Forensic Search dialog with the Analysis & Output options pre-configured for that type of forensic search. You can change any option prior to clicking the Start button.
155
4. Complete the dialog to specify the criteria for extracting data from the selected capture files:
Name: Enter a name for the forensic search. Files: Choose one of the following:
Search all files: Select this option to search through all of the files listed in the Files tab. Search selected files: Select this option to search through only the selected files in the Files tab.
Captures: Select this option and then select the capture to search from those listed in the Capture column of the Files tab. Network Media: Choose one of the following:
Media type: Select this option and then select the media type to extract only the data of a specific media type. Adapter: Select this option and then select the adapter to extract only the data captured by a specific adapter.
Time Range: Select this option and then configure the start and end times to extract
the data.
Start time: Set the start date and time for extracting data. Only the data captured between the start time and end time is extracted.
156 Performing a forensic search on an OmniEngine
OmniPeek User Guide
End time: Set the end date and time for extracting data. Only the data captured
between the start time and end time is extracted.

Duration: Displays the amount of time between the specified start and end times.
Filters: Click the Filter button to select a filter from the display list. All packets will be
accepted if no filters are applied to the forensic search. To create an advanced filter, click the Filter button and select filters, operators, or expressions from the display. For detailed instructions, please see Creating filters with the filter bar on page 135.
Limits: Choose one of the following to change how the results of your search are
maintained:
None: Select this option to choose never to stop your search. This option is only
recommended for very small searches.

Packets: Select this option and then enter the number of packets to find before
stopping your search.

Bytes: Select this option and then enter the number of bytes to find before

Packet Buffer: Select this option and then select the maximum number of megabytes of packets to keep in a ring buffer, in which new packets are continuously replacing ones captured earlier.
Analysis & Output: Select one or more of the options to enable and display that particular view in the new Forensic Search window. For various Analysis & Output options that have additional configurable settings, click the submenu icon to the right of the option.
5. Click Start. A progress dialog appears. (Clicking the Stop button stops the search and then completes the processing of the packets.) Once the processing of the packets is complete, a new Forensic Search window appears containing the data found based on the criteria you selected above.
157
6. From the new Forensic Search window, you can further narrow down the data by performing any of the post-capture analysis methods described earlier.
Forensic search from the Forensics tab

Using the Forensics tab and Forensic search dialog, you can perform a forensic search on a single stored capture session to sort through a specific time period of network traffic for data you wish to analyze further. A forensic search creates a new Forensic Search window. Important! One or more forensic captures on the OmniEngine computer are required before you can perform a forensic search from the Forensics tab. See OmniEngine capture files on page 51 and Forensics capture on an OmniEngine on page 55. To perform a forensic search from the Forensics tab: 1. From the OmniEngines window, select the Forensics tab of a connected OmniEngine. The Forensics tab displays the data currently available from the capture storage space of the OmniEngine.
OmniPeek User Guide Timeline Graph Header Information Forensics Tab View Type Time Window Forensic Search Download Packets Top Talkers by IP Address Top Protocols Refresh
Nested Tabs
The parts of the Forensics tab are described here:
Header Information: The header information displays statistics for the capture session
(data start time, data end time, duration, status, packets, packets dropped, adapter, etc.).
Top Talkers by IP Address: This display shows a graph of top talkers on the
network, broken out by node for the selected area in the Timeline graph below. You can right-click inside the display to display top talkers by Physical Address, IP Address, or IPv6 Address; or to select a Bar or Pie display. Mouse over a bar (or slice) of the graph to view a tooltip with additional details for the node.
Top Protocols: This display shows a graph of top protocols on the network for the
selected area in the Timeline graph below. You can right-click inside the display to select a Bar or Pie display. Mouse over a bar (or slice) of the graph to view a tooltip with additional details for the protocol.
159
Timeline graph: The Timeline graph displays the data of the selected capture session.
Only one capture session at a time can be displayed inside the graph. By default, the graph shows network utilization in Mbits/s, but other statistics can be graphed as well by selecting the View type. Here are descriptions of other parts of the Timeline graph:
Right-click inside the graph to perform a forensic search (see Forensic search below), download selected packets to a capture file, refresh the window, or choose a different graph format: Bar, Stacked Bar, Skyline, Area, Stacked Area, Line, Line/Points, Linear, and Logarithmic. Additionally, you can also toggle displaying the minimum and maximum points for each series on the graph. Mouse over a data point in the graph to view a tooltip displaying timestamp and size information (e.g., time and rate, time and packet size, etc.). Any time there is more data than can be displayed on the screen, a scroll bar appears below the graph and allows you to view different points of time in the graph. (If the Time window is set to Automatic, the scroll bar will never appear.) If the Time window is set to anything other than Automatic, a scroll bar appears below the graph and allows you to view different points of time in the graph.
from:
Network Utilization (Mbits/s) Network Utilization (Packets/s) Unicast/Multicast/Broadcast Packets sizes VLAN/MPLS Protocols (Mbits/s) Protocols (Packets/s) Call Quality (TimeLine network recorder only) Call vs. Network Utilization (TimeLine network recorder only)
Note To display statistics for a Call Quality view type, the Timeline VoIP Stats option must be selected when you first create the capture and configure the General options of the Capture Options dialog. See Configuring general options on page 35.
OmniPeek User Guide

Download Packets: Click to download the packets from the selected capture session,
in the selected time range.

Refresh: Click to refresh the screen. For an active capture session, you can also set an
automatic refresh interval by selecting an interval from the drop-down list to the right of the Refresh button.
Nested tabs: There are three nested tabs available from within the Forensics tab: Timeline, Storage, and Details. Each tab allows you to view and select the capture data you wish to search in various formats. The Timeline, Storage, and Details tabs
are described in detail below. 2. From any of the nested tabs, click (double-click from the Details nested tab) the capture session you wish to search. The selected capture session is displayed in orange to indicate it is selected, and the data for the capture session is loaded into the Timeline graph at the top. Important! A session represents a contiguous period of time when packets are captured from a particular interface. A session is created each time you start a capture on a WildPackets TimeLine network recorder. A capture can have multiple sessions, and each session can be separated by periods of inactivity (from stopping and starting the capture). Forensic analysis can then be performed on each session. Sessions are displayed in any of the nested tabs available from the Forensics tab.
161
3. In the Timeline graph, drag to select the area of the selected capture you wish to search. If no area of the graph is selected, the entire capture is selected by default.
Note The packet count displayed above the Timeline graph is an approximation of the packets currently selected.
Tip You can adjust the exact time range from the Forensic Search dialog. 4. Click the Forensic Search button (or click the small down arrow next to the button and select the type of forensic search you wish to perform). The Forensic Search dialog appears. Note Selecting one of the pre-defined types of forensic searches displays the Forensic Search dialog with the Analysis & Output options pre-configured for that type of forensic search. You can change any option prior to clicking the Start button.
OmniPeek User Guide
5. Complete the dialog to specify the criteria for extracting data from the selected capture:
Name: Enter a name for the forensic search. Time Range: Select this option and then configure the start and end times to extract
the data.
Start time: Set the start date and time for extracting data. Only the data captured between the start time and end time is extracted. End time: Set the end date and time for extracting data. Only the data captured

accepted if no filters are applied to the forensic search. To create an advanced filter, click the Filter button and select filters, operators, or expressions from the display. For detailed instructions, please see Creating filters with the filter bar on page 135.
Limits (not available in TimeLine network recorder): Choose one of the following to
change how the results of your search are maintained:
recommended for very small searches and not typically selected.



Packet Buffer: Select this option and then select the maximum number of packets to keep in a ring buffer, in which new packets are continuously replacing ones captured earlier.
Analysis & Output: Select one or more of the options to enable and display that particular view in the new Forensic Search window. For various Analysis & Output options that have additional configurable settings, click the submenu icon to the right of the option.
6. Click Start. A progress dialog appears. (Clicking the Stop button stops the search and then completes the processing of the packets.) Once the processing of the packets is complete, a new Forensic Search window appears containing the data found based on the criteria you selected above.
163
Timeline nested tab

The Timeline nested tab has three bands of timelines (Day, Month, Year) that are used to display the capture sessions available from the storage space on the OmniEngine. You can select a capture session from the day band to display the session in the Timeline graph above.
Capture Sessions
Day Timeline
Month Timeline Year Timeline Timeline Nested Tab
Here are some useful notes for using the Timeline nested tab:
OmniPeek User Guide
Capture sessions are represented with a horizontal green or blue bar and the name of the main parent capture. Simply click a capture session to view its data within the Timeline graph above. Only one capture session at a time can be selected and displayed in the Timeline graph. A capture session that is highlighted with an orange vertical bar indicates it is currently selected. A capture session that has green colored text indicates it is currently active and is capturing packets. Capture sessions may be overwritten by another session in the same capture if the capture was created as a continuous capture, and the session wraps after exceeding the disk space allocated for the capture. See Configuring general options on page 35. If a capture session wraps, the horizontal green or blue bar appears with a lighter color to indicate that capture sessions were overwritten. Any data that is overwritten is no longer available for analysis.
Drag inside a timeline band to view different points of time within the timeline band. The other timeline bands will move accordingly. Right-click inside a timeline band to quickly move to various points within the timeline. You can select from:
Go to Current: Moves all three timeline bands so that the currently selected capture session is centered inside the display. Go to Now: Moves all three timeline bands so that the current time is centered inside the display. Go to Earliest: Moves all three timeline bands so that the earliest available capture session is centered inside the display. Go to Latest: Moves all three timeline bands so that the latest available capture session is centered inside the display.
Storage nested tab

The Storage nested tab (TimeLine network recorder only) displays each capture session available from the storage space on the OmniEngine as a container nested within a larger parent container.
165
Chapter 7: Post-capture Analysis Capture Session Selected Capture Session (in Orange) Active Capture Session (in Green)
Storage Nested Tab
Here are some useful notes for using the Storage nested tab:
A capture session that is colored orange indicates it is currently selected. A capture session that is colored green indicates it is currently active and is capturing packets. Capture sessions may be overwritten by another session in the same capture, if the capture was created as a continuous capture and the session wraps after exceeding the disk space allocated for the capture. See Configuring general options on page 35. When data from a capture session is overwritten with new data, the old data is no longer available for analysis. Only one capture session at a time can be selected and displayed in the Timeline graph. Mouse-over a capture session container to view a tooltip displaying details about the capture session. Right-click a capture session to display the following options:
View : Loads the selected capture session into the Timeline graph above. Delete Capture: Removes the selected capture and all of its capture sessions, packet data, and statistics from the capture storage space on the OmniEngine. You will be prompted to verify any deletions. Only a parent capture, and not individual capture sessions, can be deleted from the list. Delete All Captures: Removes all captures, capture sessions, packet data, and statistics
from the capture storage space on the OmniEngine. You will be prompted to verify any deletions.
Show Unreserved Space: Displays the amount of space that is not currently being used as capture storage space on the OmniEngine. Show Legend: Displays a color-coded legend for the capture sessions.
OmniPeek User Guide
Details nested tab

The Details nested tab displays capture sessions available from the storage space on the OmniEngine as a list in tabular format. Each capture session is displayed under its main parent capture. The main parent capture is a collapsible list that can be expanded or collapsed to hide or show its capture sessions.
Main Parent Captures Capture Sessions
Details Nested Tab
Here are some useful notes for using the Details nested tab:
A capture session that is colored orange indicates it is currently selected. A capture session that is colored green indicates it is currently active and is capturing packets. Capture sessions may be overwritten by another session in the same capture, if the capture was created as a continuous capture and the session wraps after exceeding the disk space allocated for the capture. See Configuring general options on page 35. An overwritten capture session is no longer available for analysis. Only one capture session at a time can be selected and displayed in the Timeline graph. Right-click a column heading to display or hide a specific column. Click a column heading to sort its data. See OmniEngine details tab columns on page 493 for a description of the available columns. Right-click a capture session or parent capture to display the following options:
View : Loads the selected capture session into the Timeline graph above. Only a capture session, and not a parent capture, can be loaded into the Timeline graph. Delete Capture: Removes the selected capture and all of its capture sessions, packet data, and statistics from the capture storage space on the OmniEngine. You will be prompted to verify any deletions. Only a parent capture, and not individual capture sessions, can be deleted from the list.
167
Delete All Captures: Removes all captures, capture sessions, packet data, and statistics
from the capture storage space on the OmniEngine. You will be prompted to verify any deletions.
Expand All: Expands the list so that all capture sessions are displayed below the parent
capture.
Collapse All: Collapses the list so that all capture sessions are hidden below the parent
capture.
Forensic search from the Forensics Capture window

If you created a Forensics Capture window (see Forensics capture on an OmniEngine on page 55), you can perform a forensic search directly from the capture window. A forensic search creates a new Forensic Search window. Note You can also perform a forensic search from the Files or Forensics tab. See Forensic search from the Files tab on page 153 and Forensic search from the Forensics tab on page 158. To perform a forensic search from the Forensics Capture window: 1. Create a Forensics Capture window as described in Forensics capture on an OmniEngine on page 55. 2. Click the Timeline dashboard to display the new Forensics Capture window.
OmniPeek User Guide View Type Timeline Graph Header Information Top Talkers by IP Address Time Window Forensic Search Download Packets Top Protocols Refresh
The parts of the Timeline graph are described here:
Header Information: The header information displays statistics for the capture session
(data start time, data end time, duration, status, packets, packets dropped, adapter, etc.).
Top Talkers by IP Address: This display shows a graph of top talkers on the
network, broken out by node for the selected area in the Timeline graph below. You can right-click inside the display to display top talkers by Physical Address, IP Address, or IPv6 Address; or to select a Bar or Pie display. Mouse over a bar (or slice) of the graph to view a tooltip with additional details for the node.
Top Protocols: This display shows a graph of top protocols on the network for the
selected area in the Timeline graph below. You can right-click inside the display to select a Bar or Pie display. Mouse over a bar (or slice) of the graph to view a tooltip with additional details for the protocol.
169
Timeline graph: The Timeline graph displays the data of the capture window. By
default, the graph shows utilization in Mbits/s, but other statistics can be graphed as well by selecting the View type. Here are descriptions of other parts of the Timeline graph:
Right-click inside the graph to perform a forensic search (see Forensic search below), download selected packets to a capture file, refresh the window, or choose a different graph format: Bar, Stacked Bar, Skyline, Area, Stacked Area, Line, Line/Points, Linear, and Logarithmic. Additionally, you can also toggle displaying the minimum and maximum points for each series on the graph. Mouse over a data point in the graph to view a tooltip displaying timestamp and size information (e.g., time and rate, time and packet size, etc.). Any time there is more data than can be displayed on the screen, a scroll bar appears below the graph and allows you to view different points of time in the graph. (If the Time window is set to Automatic, the scroll bar will never appear.) If the Time window is set to anything other than Automatic, a scroll bar appears below the graph and allows you to view different points of time in the graph.
from:
Network Utilization (Mbits/s) Network Utilization (Packets/s) Unicast/Multicast/Broadcast Packets sizes VLAN/MPLS Protocols (Mbits/s) Protocols (Packets/s) Call Quality (TimeLine network recorder only) Call vs. Network Utilization (TimeLine network recorder only)
Note To display statistics for a Call Quality view type on a TimeLine network recorder, the Timeline VoIP Stats option must be selected when you first create the capture and configure the General options of the Capture Options dialog. See Configuring general options on page 35.
OmniPeek User Guide

Download Packets: Click to download the packets from the selected time range. Refresh: Click to refresh the screen. For an active capture session, you can also set an
automatic refresh interval by selecting an interval from the drop-down list to the right of the Refresh button. 3. In the Timeline graph, drag to select the area of the capture you wish to search. If no area of the graph is selected, the entire capture is selected by default.
Note The packet count displayed above the Timeline graph is an approximation of the packets currently selected.
171
Tip You can adjust the exact time range from the Forensic Search dialog. 4. Click the Forensic Search button (or click the small down arrow next to the button and select the type of forensic search you wish to perform). The Forensic Search dialog appears. Note Selecting one of the pre-defined types of forensic searches displays the Forensic Search dialog with the Analysis & Output options pre-configured for that type of forensic search. You can change any option prior to clicking the Start button.
5. Complete the dialog to specify the criteria for extracting data from the selected capture:
Name: Enter a name for the forensic search. Time Range: Select this option and then configure the start and end times to extract
the data.
Start time: Set the start date and time for extracting data. Only the data captured between the start time and end time is extracted. End time: Set the end date and time for extracting data. Only the data captured

accepted if no filters are applied to the forensic search.
OmniPeek User Guide
To create an advanced filter, click the Filter button and select filters, operators, or expressions from the display. For detailed instructions, please see Creating filters with the filter bar on page 135.
Limits (not available in TimeLine network recorder): Choose one of the following to
change how the results of your search are maintained:
recommended for very small searches.



Packet Buffer: Select this option and then select the maximum number of packets to keep in a ring buffer, in which new packets are continuously replacing ones captured earlier.
Analysis & Output: Select one or more of the options to enable and display that particular view in the new Forensic Search window.
6. Click OK. A progress dialog appears. (Clicking the Stop button stops the search and then completes the processing of the packets.) Once the processing of the packets is complete, a new Forensic Search window appears containing the data found based on the criteria you selected above. The name of the Forensic Search window is added to the list of currently active forensic searches in the Forensic Searches tab.
173
CHAPTER 8 Expert Analysis

In this chapter:
About expert analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Expert views and tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Configuring expert views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Expert EventFinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Visual Expert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Network policy settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
175
Chapter 8: Expert Analysis
About expert analysis

The Expert views in OmniPeek and OmniEngines provide expert analysis of response time, throughput, and network applications in a flow-centered view of captured traffic. Expert views also provide a detailed view of every transaction, noting any events encountered in each individual conversation or flow. You can drill down to select the packets associated with a particular event or with any conversation in Expert views. The Expert EventFinder scans traffic in a capture window, looking for key events. Individual network events are included in the Expert EventFinder, which displays and explains anomalies and sub-optimal performance at all layers of the network. See Expert EventFinder on page 189. The Visual Expert presents a variety of ways to look at an individual flow, providing a snapshot all of the packets that were in the buffer for a particular flow at the time the window was created. See Visual Expert on page 192. The Network Policy dialog allows you to configure network policies and find violations of these policies in a capture window. See Network policy settings on page 206.
Expert views and tabs

The Expert view of a capture window has two data areas. The upper pane displays conversations or flows in the following formats:
Expert Clients/Servers view Expert Flows view Expert Application view
The lower pane contains three tabs which present additional information about the selected rows in the upper pane:
Details tab Event Summary tab Event Log tab
Note The terms conversation, stream, and flow are synonymous. For example, the end-to-end IP address and UDP or TCP ports form a unique conversation, stream, or flow for a given application. The parts of the Expert view window are identified below.
176 About expert analysis
OmniPeek User Guide EventFinder Settings Refresh Network Policy
Summary Counts
Upper pane Expert views
Lower pane Expert tabs
Flows Analyzed, Events Detected: Shows summary counts in this capture. Flows recycled, Packets dropped: Shows summary counts which relate to the Experts use
of memory. See Expert memory usage on page 191.

Refresh: Updates the Expert with the latest packet information contained in the capture buffer. You can also choose a refresh interval from the drop-down list. Expert EventFinder Settings: Opens the Expert EventFinder Settings window, in which you can configure individual expert events. See Expert EventFinder on page 189. Network Policy: Opens the Network Policy dialog, in which you can configure expected
behavior for the program and compare this to actual events. See Network policy settings on page 206.
Right-click options: These options include:
Expert views and tabs
177
Save Flow Statistics (see Expert view packet selection on page 188) Visual Expert (see Visual Expert on page 192) Select Related Packets (see Expert view packet selection on page 188) Expert Options dialog (see Expert save functions on page 189)
Column display: To sort, hide, or rearrange column display, see Configuring column display
on page 185. For a complete list and description of the columns available in Expert views, see Expert view columns on page 470. Tip Choose View > Display Format > Show Port Names to toggle this option directly in the Expert views.
Expert events
For a complete list of expert events, see Appendix E, Expert Events.
Expert Clients/Servers view

The Expert Clients/Servers view makes it easy to track events and to see them in the context of peer-to-peer or client-server traffic patterns. To display the Clients/Servers view: Select Clients/Servers under Expert in the navigation bar of a capture window. The hierarchy of information in this view is displayed as follows:
Pairs of nodes (addresses)
Individual flows between these addresses
Individual events under specific flows.
178 Expert views and tabs
OmniPeek User Guide
Tip Right-click in the upper pane and choose Expand All to display the hierarchical levels The Expert Clients/Servers view shows green or white traffic indicator lights showing activity for the related nodes:
A green light indicates that the node is active (a packet has been received in the last few seconds). A light green light indicates that the node is inactive (a packet has not been received in the last few seconds).
Smaller LED lights appear to the right of the traffic indicators when an event has been detected:
A red LED indicates one or more events whose severity is Major or Severe.
Expert Clients/Servers view
179
A yellow LED indicates one or more events whose severity is Informational or Minor.
Tip Pause the cursor over these indicators to show a data tip with details of recent activity and the severity of the events detected. The Events column of the Expert Clients/Servers view shows an icon for the most severe event detected. For a complete list and description of the columns available in the Clients/Servers view, see Expert clients/servers, flows, and application view columns on page 470.
Expert Flows view

The Expert Flows view displays each flow independently in a flat table. Flows are numbered in the Flow ID column in the order in which they are identified by the expert. This simplified view allows you to compare flows to one another, regardless of the node pair to which they belong. To display the Flows view:
Select Flows under Expert in the navigation bar of a capture window.
OmniPeek User Guide
For a complete list and description of the columns available in the Flows view of the expert, see Expert clients/servers, flows, and application view columns on page 470.
Expert Application view

The Application view allows you to link end-user satisfaction with the performance of a network application through the Application Performance Index (Apdex), an open standard that defines methods for reporting application performance. (For a visual presentation of the data in the Application view, see Apdex dashboard on page 66.) The hierarchy in the Application view is displayed as follows:
Application: protocols like Web/HTTP, Email/POP3
Server: IP addresses of servers using above protocol
Expert Application view
181
Client: IP addresses of clients connected to above server (followed by Individual flows between IP addresses and Individual Events)
Port: Port addresses of the client and server. The first port listed is the client port; the second port listed is the server port. The arrow between the ports shows the direction of the flow.
To display the Application view, select Application under Expert in the navigation bar of a capture window.
The Apdex column represents user satisfaction with application performance as a score from 0.00 (unacceptable) to 1.00 (excellent). The Apdex Sample Count column displays the number of Apdex tasks that have completed for this row.
OmniPeek User Guide
Note The Apdex dashboard provides a visual display of the data in the Application view. See Apdex dashboard on page 66. For a complete list and description of the columns available in the Application view, see Expert clients/servers, flows, and application view columns on page 470.
Expert lower pane tabs

Additional information is provided in nested tabs for a row selected in upper panes of the Expert views.
Details tab
The Details tab contains additional details for a single flow or a single pair of nodes selected in the upper pane, identified as Client and Server. For complete descriptions of the items in the Node details tab, see Expert node details tab rows and columns on page 474. Tip Set the units for throughput in the Expert View Options dialog. See Expert view options dialog on page 185.
Event Summary tab

The Event Summary tab shows the number of times each type of event was encountered. The header shows the Total number of events identified. The Event Summary columns are described below.
Severity Icon: The severity of the event, as set in the Expert EventFinder window. Layer: The network layer to which events of this type belong. Event: The EventFinder event definition which identified this packet as an event (for example, TCP Retransmission). Count: The number of events of this type observed so far. First Time: The date and time of the first time the event of this type was observed. Last Time: The date and time of the last time the event of this type was observed.
Expert lower pane tabs
183
Event Log tab

The Event Log tab shows a count of total Messages in the log, and counts of events classified by their level of severity. These counts are shown beside the icon for that severity level (Informational, Minor, Major, and Severe). Click the buttons associated with each level of severity to toggle the display of events. Note The counts will continue to update, even if you choose not to display events of a particular severity.
The Event Log can display up to 50,000 entries, subject to the limits you establish in the Memory Usage section of the Expert EventFinder. See Expert memory usage on page 191. For a complete list and description of the information available in each of the columns, see Expert event log columns on page 473. 184 Expert views and tabs
OmniPeek User Guide
Configuring expert views

The Expert Columns dialog let you show, hide, or rearrange columns in Expert views. The Expert View Options dialog and the Client/Server Colors and Units options of the OmniPeek Options dialog allow you to control the appearance and colors of Expert view features. You can select subsets of packets for further analysis according to a variety of options and save flow statistics and summary data in several formats.
Configuring column display

To rearrange display of columns in Expert views:
Sort the contents of any column in ascending or descending order. Double-click the right edge of a column header to automatically resize the column area. Hold down the Shift key and double-click the right edge of any column header to automatically resize all of the columns. Use drag and drop in the upper pane of the Expert view to change column order.
To show or hide columns in Expert views: Right-click the column headers to select the columns you wish to display. You can select Show all Columns to display all available columns. Alternatively, right-click the column header and choose Columns. The Columns dialog appears. a. Check or uncheck individual column titles to show or hide those columns. You can also:
Drag individual columns up or down to change their order in the view. Right-click in the Columns dialog and choose Check All or Uncheck All to show or hide all columns.
b. Click OK to apply your changes to the Expert views. Note For a complete list and description of available columns in Expert views, see Expert view columns on page 470.
Expert view options dialog

The Expert View Options dialog allows you to control the appearance of the upper pane of the Expert view.
Configuring expert views
185
To use the Expert View Options dialog, follow these steps: 1. Right-click and choose Expert View Options. The Expert View Options dialog appears.
2. Fill in the timestamp, throughput, and color parameters. You can also choose to show address or port names. Note Click the Help button on the dialog to learn about the available options and settings. 3. Click OK to accept your changes.
Setting client/server colors

The Client/Server Colors options of the Options dialog lets you control the appearance of client/server data displayed in capture windows. To select color display of clients and servers: 1. Choose Tools > Options. 2. Select the Client/Server Colors options.
186 Configuring expert views
OmniPeek User Guide
3. Select colors for clients and servers. These color settings appear in all Expert views and Visual Expert tabs that have client/ server displays. For example, see PacketVisualizer tab on page 193. They also appear in Web views that have client/server displays. For example, see Requests view on page 242. 4. Click OK. Note You can also configure global client/server color options in the Packet List Options dialog, PacketVisualizer Options dialog, and Expert View Options dialog.
Setting units for time and throughput

The Units options of the Options dialog lets you choose the precision for all time displays in milliseconds, microseconds, or nanoseconds in capture windows. Note Some views, such as Visual Expert graphs, ignore the time/throughput settings and automatically choose an appropriate display precision. See the Visual Expert Graphs tab on page 197. To select units for time and throughput: 1. Choose Tools > Options. 2. Select the Units options.
Setting units for time and throughput
187
Time units: Select milliseconds, microseconds, or nanoseconds.
Select Local Time or GMT/UTC Time. This is the same option as choosing View > Display Format > Local Time.
Throughput units: Choose the units for throughput displays from the drop-down list.
4. Click OK. Note You can also configure global time unit options in the Packet List Options dialog, PacketVisualizer Options dialog, and Expert View Options dialog.
Note OmniPeek time precision settings do not affect OmniEngine data.
Expert view packet selection

Right-click and choose Select Related Packets by one of the following options:
By Client: This option selects all packets to or from the client IP address. By Server: This option selects all packets to or from the server IP address. By Client and Server: This option selects all packets between the client and server IP
addresses.
188 Configuring expert views
OmniPeek User Guide
By Port: This option selects all packets between the client and server IP address and ports. (This option will usually produce the same results as selecting By Flow, unless a node pair reuses ports for multiple TCP connections.) By Flow ID: This option selects all packets by Flow ID. By Event Type: This option selects all packets flagged with the selected event. Choosing Select Related Packets from the Event Summary tab provides the same results.
For more information on how to select related packets, see Selecting related packets on page 146.
Expert save functions

Right-click and choose Save Flow Statistics in the Clients/Servers, Flows, or Application views of the Expert to open a Save As dialog with the following file format choices:
Text (view delimited) *.txt CSV (Comma delimited) *.csv
You can also right-click and choose Save Event Summary or Save Event Log in the Event Summary or the Event Log tabs. The same two file format types are supported. The content and arrangement of the saved files match the content of the pane being saved. You can hide or display optional columns or change column order to control the information that will be included in the saved file. Note The Save As dialogs for the OmniEngine Expert view will offer to save the files on the OmniPeek console computer.
Expert EventFinder
The EventFinder scans traffic in a capture window, looking for network anomalies and suboptimal performance at all layers of the network, from application to physical. It also shows network events associated with VoIP calls and the Apdex score. For a complete list of expert events, see Appendix E, Expert Events. Tip Click the Show Info button to display the Description, Possible Causes, and Possible Remedies for a selected event. A PDF containing full descriptions of all expert events is located in the Documents folder where you installed OmniPeek. To open the Expert EventFinder Settings window, choose one of the following:
Expert save functions
189
Click the Expert EventFinder Settings button in the toolbar of the Expert view. Right-click and choose EventFinder Settings.
The parts of the Expert EventFinder Settings window are identified below. The window is context-sensitive and displays only parts relevant to the selected event.
Restore Selected Default Restore All User Defaults Set User Defaults Toggle All Import Settings Disable All Export Settings Enable All
Threshold Assistant Setting Memory Usage
Enable All: Select all of the events to be scanned in a capture window. Disable All: Deselect all of the events (none will be scanned). Toggle All: Reverse state of events between Enable All and Disable All. Restore Selected Defaults: Highlight an event or events and click to restore default values. Restore All User Defaults: Restore default values to all events. Set User Defaults: Establish the current settings as the new (user-defined) default EventFinder settings on the OmniPeek console or the OmniEngine.
190 Expert EventFinder
OmniPeek User Guide
Import Settings: Restores a previously saved group of settings. Click Import Settings and navigate to the location of an *.xml settings file. Export Settings: Saves the current EventFinder settings as an *.xml file.
Note When you Import Settings or Export Settings on an OmniEngine, the Open and Save As dialogs will refer to the OmniPeek console computer.
Event: This column shows the events arranged under their network layers. Severity: This column shows the level of severity of notification the Expert will send when it encounters a matching event. Click the entry in the Severity column to set the level of
severity of these notifications. See Chapter 16, Sending Notifications.
Enable: This column allows you to enable or disable individual events or network layers by selecting the check box(es) for that layer. When only some events within a layer are enabled, a square appears in the check box for that layer. Setting: Set the Value and units that mark the threshold of the condition for the selected event. For example, if the Setting Value for POP3 Slow Response Time is 150 milliseconds, then when this event is enabled, it will report any response time greater than
150 milliseconds as an event. Note that not all events require a setting value. Some, such as DHCP Request Rejected, simply check for a particular occurrence or packet type.
Threshold Assistant: This setting helps you choose settings that can be expected to vary with network bandwidth. For example, with POP3 Slow Response Time as the selected event, moving the slider bar to the left will increase the setting value, allowing for the slower POP3 response times that you would expect over a Dial-up connection. If you move the slider bar to the right, the Value decreases, reflecting the faster POP3 response times you would expect over a LAN or Fast LAN, appropriate for POP3 connections over the Internet. Memory Usage: Set the maximum memory by entering the value directly in the edit box in MB (megabytes), or by using the slider bar to the right of the edit box. See Expert memory usage on page 191. Show Info: Click this button to see a more complete description of the event, including possible causes and remedies.
Expert memory usage

You can set an upper limit on the system resources available to Expert Analysis functions in each individual capture window. For an OmniEngine, these resources are resident on the computer on which the particular OmniEngine capture window was created.
Expert memory usage
191
The Memory Usage section of the Expert EventFinder Settings window has two ways to set the maximum memory
Enter the value directly in MB (megabytes) Use the slider bar to set the value
Values for the Maximum Flows and Maximum Events that can be analyzed using the amount of memory you have selected appear below the edit box and slider bar. The Maximum Flows and Maximum Events represent two separate limits. When the maximum number of flows is reached, older, closed flows will be dropped to make room for new ones. If there are more active flows than this limit, no new flows will be added, but the Expert will continue to analyze existing flows, as well as look for non-flow events for all network traffic. The Memory Usage feature allows the Expert to be used continuously, always presenting the most recent findings, and logging the results to the Event Log.
Visual Expert
The Visual Expert presents a variety of ways to look at individual flows in the Expert views, providing a static snapshot all of the packets that were in the buffer for a particular flow at the time the window was created. Note The OmniPeek Visual Expert is not supported in the Expert views of OmniEngine capture windows. To open the Visual Expert: 1. Stop capture in a capture window. 2. Choose one of the following:
In the Flows view, right-click any flow and choose Visual Expert (or double-click any single flow line). In the Flows/Servers and Application views, expand the list and select a flow. Rightclick and choose Visual Expert (or double-click an event row).
There are six tabs at the bottom of the Visual Expert:

192 Visual Expert
PacketVisualizer tab Payload tab Graphs tab What If tab
OmniPeek User Guide
Compare tab Summary tab
PacketVisualizer tab
The PacketVisualizer tab displays all of the packets for both sides of a flow.
Time Ticks
Packets are displayed as horizontal bars in client/server colors, with arrow and position cues to show in which direction each packet was sent. In the toolbar, the Ticks drop-down list lets you display time as a vertical separation between packets. Sliced packets appear with their sliced portion dimmed. For a complete list and description of the columns available in the PacketVisualizer tab, see Visual Expert PacketVisualizer tab columns on page 475.
Time ticks
To create a vertical time axis within the PacketVisualizer list, choose a value other than None in the Time Ticks drop-down list. In the PacketVisualizer column, the inserted tick mark rows show the delta time from the previous packet. Low-latency packets will be tightly clustered,
193
while slow-responding, high-latency packets will be separated by a larger number of tick-mark rows. Note After 9 tick-mark rows, the PacketVisualizer inserts a final ellipsis () and the actual delta time.
Relative SEQ/ACK numbers

The PacketVisualizer tab displays SEQ and ACK numbers in the Summary column. You can use the context menu to toggle between a shorter and a longer version of these numbers. The actual sequence (SEQ) and acknowledgement (ACK) numbers are typically 9-digit numbers from a large initial random value. For most purposes, only their sequence is significant. Right-click and enable Relative SEQ/ACK Numbers in the context menu to shorten the numbers while preserving their sequence (display shows SEQ and ACK numbers starting at zero, subtracting the lowest observed number from each subsequent number). Disable Relative SEQ/ACK Numbers to display the actual SEQ/ACK number values found in the packets. Note The Sequence, TCP Trace, and TCP Window graphs in the Graphs tab display sequence numbers as a vertical axis. You can also use the context menu to toggle between relative and absolute values for SEQ/ACK numbers in these graphs.
Highlighting SEQ/ACK relationships

As you select different rows in the PacketVisualizer list, a blue highlight appears to help you follow SEQ/ACK relationships. The packets acknowledged by the selected packet are highlighted light blue, above the selected packet. The first packet that acknowledges the selected packet is also highlighted in light blue, below the selected packet. You can also see this ACK relationship by showing the Acked By and Ack For columns, as in the following figure.
194 Visual Expert
OmniPeek User Guide
PacketVisualizer options dialog

The PacketVisualizer Options dialog lets you set display options for the PacketVisualizer tab. To set PacketVisualizer display options, follow these steps: 1. Right-click in the PacketVisualizer tab and choose PacketVisualizer Options.
2. Fill in the parameters of your choice. Note Click the Help button in the dialog to learn about the available options and settings. 3. Click OK to accept your changes.
195
Saving PacketVisualizer data

Right-click the PacketVisualizer tab and choose Save PacketVisualizer Data. You can save all the data presented in the PacketVisualizer tab to a Text (view delimited)(*.txt) format file or a CSV (Comma delimited)(*.csv) format file.
Payload tab
The Payload tab of the Visual Expert reconstructs the TCP data without the header information. It keeps track of TCP sequence numbers, reassembling out-of-sequence and retransmitted packets. Text protocols such as POP3, SMTP, and HTTP can be read as text, while non-text characters are converted to dots. The toolbar buttons for Client and Server allow you to show or hide client/server data in the Payload tab. Tip If you mouse over a character, a data tip appears identifying which packet contains the displayed data.
Client Server
196 Visual Expert
OmniPeek User Guide
You can set background colors for client and server data in the PacketVisualizer Options dialog (see PacketVisualizer options dialog on page 195). You can also choose Tools > Options > Client/Server Colors (see Setting client/server colors on page 186). Tip To change the font size in the Payload tab, hold down Ctrl (the control key) while rolling the scroll wheel on your mouse.
Missing or sliced data

The Payload tab keeps track of TCP sequence numbers, allowing it to report missing, repeated, out-of-sequence, and sliced data. It shows missing and sliced data with [### bytes missing] or [### bytes sliced]. If only a few bytes are missing or sliced, this message is truncated to [] with one dot for each missing byte. Sliced and missing data appears with a faded background color. Missing (but not sliced) data appears in grey text. Repeated data appears in red.
Saving payload data

Right-click in the Payload tab and choose Save Client Data or Save Server Data to create a file with all of the binary data for that side of the conversation.
Graphs tab
The Graphs tab of the Visual Expert displays graphs of data across time. To show a graph for display, select the check box next to its name. Multiple graphs can be displayed simultaneously. There are five types of graphs:
Throughput graph Latency graph Sequence graph TCP Trace graph TCP Window graph
Graphs tab
197
Chapter 8: Expert Analysis Zoom To Fit Zoom Out Client Zoom In Server Light or Dark background
The parts of the Graphs tab are identified below.
Zoom In: Click and drag a rectangle across the portion you want to see to zoom into a
specific portion of the graph.

Zoom Out: Click to decrease size of graph. Zoom to Fit: Renders the entire graph within the available screen space. Client: Click to switch graph display to direction from client to server. Server: Click to switch graph display to direction from server to client. Light or Dark: Select a background for graphs from the drop-down list in the toolbar.
Some graphs (Sequence, TCP Trace) display sequence numbers as a vertical axis. To show relative values, right-click and enable Relative SEQ/ACK Numbers. See Relative SEQ/ACK numbers on page 194.
Right-click options:
198 Visual Expert
OmniPeek User Guide
Relative Time: Displays a horizontal axis with time relative to the first packet in this
flow.
Absolute Time: Displays a horizontal axis with clock time.
Data tips: Hold the mouse cursor still over a point on any graph to display a data tip for that point.
For an axis, this shows the value of that axis at the current cursor. For empty graph areas or lines between graph points, this shows the vertical and horizontal values for that point. For graph points, this shows graph-specific data about that point.
Magnifier lens: To magnify the graph area around the cursor, hold down the Shift key or press the Caps Lock key. A small view magnified by 4x appears in the lower right corner.
Throughput graph
The Throughput graph displays the rolling average throughput for the flow, in TCP Sequence Number order over time.
Note While most throughput calculations display the total number of bytes over time, the Throughput graph ignores IP/TCP headers and checksums. It includes only actual TCP payload data in its calculations.
Graphs tab
199
There are two lines in the Throughput graph.
The thin yellow line shows the rolling 1-second average value of throughput. This line tends to change frequently. The thicker green line shows the rolling 10-second average value of throughput. This line changes more slowly.
Note The Throughput graph does not display data for the first 0.5 seconds of data. There is not enough data collected during this period, and the graph tends to display incorrect values until after 0.5 seconds. Both the 1-second and 10-second lines will display data before 1- and 10-seconds have elapsed. In this case, the graphed data is the average throughput up to that time. Both the 1- and 10second lines show the same data up to the 1-second mark. The Throughput graph only calculates points when there is a packet. Long spans without packets create long spans with straight horizontal lines. Sawtooth waves are common for flows that have bursts of large packets interspersed with zero-data packets.
Latency graph
The Latency graph displays the time between a packet and the request packet that it acknowledges.
200 Visual Expert
OmniPeek User Guide
Note Not all flows have latency data. If a flow direction does not have an increasing SEQ number, then the other direction does not have anything to ACK, so the other direction will not have latency data.
Sequence graph
The Sequence graph displays TCP SEQ numbers across time. It displays a simple version of the information in the TCP Trace graph.
Sharp increases in SEQ indicate a burst of high throughput. Flat horizontal lines indicate zero TCP data throughput. Downward sloping lines indicate out-of-sequence or repeated data.
TCP Trace graph

The TCP Trace graph creates a rich visualization of a TCP flow, showing two stairstep lines, representing current ACKed data (green) and available window (yellow). This shows how well the client is keeping up with data.
Graphs tab
201
Vertical white arrows indicate each sent data packet, showing how and when the server is talking. As the client ACKs data, the green stairstep line bumps up. If the client sends an ACK without increasing the ACK number, the TCP Trace graph notes this with a small green tick mark. As the client slides its window forward or increases its window, the yellow stairstep line bumps up. If the client sends an ACK without moving the window forward, the TCP Trace graph notes this with a yellow tick mark. As the server sends data, white arrows appear. Each arrow starts at the packets SEQ number and goes up to span that packets TCP payload size. Packets without payloads appear as small white X marks (the arrowheads for both SEQ and ACK land on the same point). The TCP Trace graph shows all TCP flags. For a complete list and description, see Visual Expert TCP Trace graph flags on page 476.
TCP Window graph

The TCP Window graph (shown below the TCP Trace graph in the following figure) shows the size of the available TCP window as it expands and contracts through the course of the TCP session in the current flow.
202 Visual Expert
OmniPeek User Guide
The TCP window is the amount of unACKed data a particular TCP session will allow on the wire. When a receiver is keeping up with the sender, the available window floats near the top of its range, typically around 64K. As the receiver buffers more and more data, unable to immediately acknowledge its receipt, the available window shrinks. If it dips too low, the Expert will flag this event. When the available window reaches zero (the window is all used up), the sender stops and throughput suffers. Properly tuning TCP windows can have a significant effect on TCP throughput.
TCP Window graphs show data tips, using the same format and information found in TCP Trace graphs.
What If tab
The What If tab of the Visual Expert lets you estimate the effects of changes in various network and application parameters on throughput, utilization, and transaction times in the current flow. As you change the settings at the top of the tab, the values in these columns will change, allowing you to experiment with what if scenarios.
What If tab
203
The parts of the What If tab are identified below. You can experiment with changes in three classes of settings at the top of the tab:
Protocol/Network section lets you set Avg send packet size, Avg receive packet size, and the length of the time intervals for Latency (ms), and Contention (ms). Application section lets you set the number of Simultaneous users, the number of Packets per transaction, and the time required for Client processing (ms) and Server processing (ms).
Set the Packet send to receive ratio.

Full Duplex: Select to display Client and Server each on separate lines of the table. Half Duplex: Select to display matching client and server transactions on a single line of the table (Client/Server column shows Client/Server for each line).
Choose Client -> Server or Server -> Client to evaluate the flow in either direction. Set the precision of the time display to Milliseconds, Microseconds, or Nanoseconds.
Restore Original Values: Select to return to the observed or calculated values when the What If tab was opened. Save What If Data: Save the data from this tab in either a Text (view delimited)(*.txt) or CSV (Comma delimited)(*.csv) format.
204 Visual Expert
OmniPeek User Guide
Compare tab
When a flow is open in the Visual Expert, the Compare tab can find that same flow in any other open file or capture, and display the two separately captured instances of that flow side by side, noting any detailed differences between the two. The parts of the Compare tab are identified below.
Current flow Open capture windows
The Current flow is displayed on the left. Use the drop-down list in the header section to choose any other open capture window or capture file. The Compare tab will search the selected file for a matching flow by IP address and port number pairs and display it on the right.
Packet: The packet number assigned in its capture window or capture file. Relative Time: Calculated from the first packet in each flow. IPID: IP address identification.
Packets that appear in one file but not the other are highlighted in green, with a connecting line showing where in the packet sequence the missing packets should appear.
Compare tab
205
The Compare tab can accommodate out of sequence packets, keeping the middle blue line synchronized across the two flows. Short messages above each table summarize the differences between the two. The Compare tab scans ahead to match packets, and can easily accommodate flows in which most packets are out of sequence by tens of places. When scanning a very large file, this may take a moment to finish.
Summary tab
The Summary tab of the Visual Expert displays the data that appears in the Node Details tab of the Expert when the same flow is selected. See Details tab on page 183.
Network policy settings

The Network Policy dialog lets you create, edit, save and reload descriptions of the participants and expected behavior of a particular network for the Expert to use in detecting Network Policy violation events. To open the Network Policy dialog, choose one of the following:
Click the Network Policy button in the Expert view toolbar Right-click and choose Network Policy from the Expert, WLAN, or Channels views. Click the Configure button in the Expert EventFinder Settings window when an individual Network Policy event is selected.
There are five network policy events:
Vendor ID policy Channel policy ESSID policy WLAN encryption policy WLAN authentication policy
Each view describes a particular aspect of a network. When a view is enabled, the Expert notes a Network Policy violation when it sees traffic contrary to the settings in that view. Note You can enable, disable, or set the Severity settings for each view in either the Network Policy dialog or the Expert EventFinder Settings window. Changes made in either dialog are reflected in the other. See Expert EventFinder on page 189.
206 Network policy settings
OmniPeek User Guide
The Network Policy settings as a whole can be saved or loaded:
Click the Export button to save the current settings in the Expert Settings File (*.exp) format. Click the Import button to choose a previously saved *.xml file, and use it to replace the current Network Policy dialog settings.
Note The Network Policy settings form part of the settings for the Expert EventFinder. When you export or import settings from the Expert EventFinder Settings window, the Network Policy settings are also included. When you export from the Network Policy dialog, however, only the Network Policy settings are included in the created file.
Vendor ID policy
The Vendor ID policy dialog lets you set a policy based on the MAC addresses of 802.11 WLAN adapters seen by the Expert. Use the table to create a list of MAC addresses (or blocks of MAC addresses, each defined by its vendor ID), then use the buttons at the top of the table to tell the Expert to Accept Matching, or Reject Matching MAC addresses. You can use the asterisk character (*) as a wildcard to represent any byte of the 6-byte MAC address. The Name table ships with a current list of vendor IDs, associating each block of MAC addresses with a particular card vendor name.
Vendor ID policy
207
Chapter 8: Expert Analysis Reject Matching Accept Matching Enable Insert Edit Duplicate Delete
Severity
Note Click the Help button on the dialog to learn about the available options and settings.
Channel policy
The Channel policy dialog lets you set a policy based on the 802.11 WLAN channels in use, as seen by the Expert. Use the table to create a list of channels, then use the buttons at the top of the table to tell the Expert to Accept Matching, or Reject Matching channels. Note When you first choose a Protocol, the table is populated with the most commonly used channels, including all channels permitted by the regulatory authorities in the United States. Other jurisdictions may permit other channels. To accommodate this, the list of channels is editable.
OmniPeek User Guide
ESSID policy
The ESSID policy dialog lets you set a policy based on the ESSIDs (Extended Service Set Identifiers) in use, as seen by the Expert. The ESSID is an optional short text string used to identify all access points in a single ESS network. Use the table to create a list of ESSIDs, then use the buttons at the top of the table to tell the Expert to Accept Matching, or Reject Matching ESSIDs.
WLAN encryption policy

The WLAN Encryption policy dialog lets you set a policy based on the encryption method in use, as seen by the Expert. The available encryption methods are: None (no encryption), WEP (Wired Equivalent Privacy), CKIP (Cisco Key Integrity Protocol), and TKIP (Temporal Key Integrity Protocol). Use the buttons at the top of the table to tell the Expert to Accept Matching, or Reject Matching encryption methods.
WLAN authentication policy

The WLAN Authentication policy dialog lets you set a policy based on the authentication method in use, as seen by the Expert. The available authentication methods are:
None (open, unrestricted authentication) LEAP (Lightweight EAP (Extensible Authentication Protocol)) PEAP (Protected EAP), EAPTLS (EAP with Transport Layer Security)
Use the buttons at the top of the table to tell the Expert to Accept Matching, or Reject Matching authentication methods. Note Click the Help button on each dialog to learn more about the available options and settings.
ESSID policy
209
CHAPTER 9 Multi-Segment Analysis

In this chapter:
About Multi-Segment Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Flow list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Flow map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Ladder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Creating an MSA project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Using the MSA wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 MSA project analysis options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
211
Chapter 9: Multi-Segment Analysis
About Multi-Segment Analysis

Multi-Segment Analysis (MSA) in OmniPeek allows you to quickly and easily locate, visualize, and analyze one or more flows as they traverse several capture points on your network from end-to-end. MSA provides visibility and analysis of application flows across multiple network segments, including network delay, packet loss, and retransmissions. MSA can quickly pinpoint problems and their root causes across multiple segments, bring problematic flows together, and create an analysis session, report anomalies, and provide graphical visualization of multiple segments across the network. An easy to use MSA wizard allows you to create MSA projects from either multiple OmniEngines located on your network, or from multiple existing capture packet files. Additionally, MSA projects can be created by right-clicking various views from the navigation pane of a capture window. Important! The time it takes for OmniPeek to build and display an MSA project is dependent on the number of segments, the number of flows, and the number of packets in each flow. MSA includes a limit of 100,000 packets per flow (modifiable from Multi-Segment Analysis Options), but there is no hard limit to the number of segments or flows that can be included in a project. Be selective when choosing data for your MSA projects. If you find that an MSA project is taking too long to build, you can cancel out and reduce your data set. In order to facilitate the creation of MSA projects based on forensic searches, the following best practices are suggested:
Each OmniEngine should have a unique name. This can be done via the OmniEngine Manager, or the OmniEngine Wizard. Make sure the time is accurate on all of the OmniEngines. If possible, configure the OmniEngine to use an NTP server. Give each capture a unique name. For instance, name the captures based on the network segments. Once an MSA project (.msa file) has been created, you may want to save the packet files that were used to create the MSA project for the following reasons:
The packet files will be needed again if you want to add another segment to the MSA project. You may want to open a trace file related to a particular segment, to see different OmniPeek views, such as the Packets or Flows view. It may be necessary to rebuild MSA projects to take advantage of new MSA features in future versions of OmniPeek.
212 About Multi-Segment Analysis
OmniPeek User Guide
In addition, the following Capture Option settings must be enable for MSA-based forensic searches:
Capture to disk Timeline Stats (on Classic OmniEngines only)
Note MSA-based forensic searches require Timeline Stats. Classic OmniEngines support Timeline Stats starting with OmniPeek, version 6.8.
MSA project window

Once configured and created using the MSA wizard, an MSA project window is displayed as shown below. The MSA project window consists of the following parts: Flow List, Flow Map, and Ladder. Note When calculating the delay values for the flow map and ladder, MSA assumes that the client is on the left, and the server is on the right. If you create MSA projects that include multiple flows, all of the flows in the project should be initiated from the same direction. For example, flows initiated by two nodes on the private side of a firewall would be suitable to include in a single MSA project. Flows initiated by a node on the private side of a firewall, and flows initiated by a node on the public side of a firewall would not be suitable to include in a single MSA project.
MSA project window
213
Chapter 9: Multi-Segment Analysis Flow List Analysis Options
Flow Map Ladder
Flow list
The flow list displays a hierarchical list of flows for each capture source, including relevant information for each flow (client/server addresses and ports, protocols, packet counts, etc.) The flow list is hierarchical, with flows at the top level, and capture segments listed below the flow. Each capture segment includes statistics for that flow. Selecting the check box next to a flow displays that flow in the flow map and ladder diagram below. Note For any MSA project that has multiple flows, only one flow at a time can be selected in the flow list. The flow that is selected is displayed in the flow map and ladder diagram.
214 MSA project window
OmniPeek User Guide Flow List
Column header: Displays the column headings currently selected. Right-click the column
header to enable/disable columns. Here are the available columns:
Flow/Segment: The name of the flow or segment. Client Addr: The address of the client for the flow. Client Port: The port on which the Client or Client Addr was communicating in the
flow.
Server Addr: The address of the Server or Server Addr for the flow. Server Port: The port on which the Server or Server Addr was communicating in the
flow.
Protocol: The protocol under which the packets in the flow were exchanged. Packets: The number of packets in the selected flow.
Flow list
215
Client Packets: The total number packets sent from the Client or Client Addr in the
flow.
Server Packets: The total number of packets sent from the Server or Server Addr in
the flow.
Packets Analyzed: The total number of packets in the flow that were analyzed by
OmniPeeks MSA component. Packets Analyzed will be the same as Packets, unless the number of packets in the flow exceeds the packet limit, as configured in MSA options.
Packets Lost: The number of packets missing in the segment. Packets which are identified as lost in a particular segment appeared in an least one other segment in the MSA project. Client Packets Lost: The number of packets lost in the client direction. Server Packets Lost: The number of packets lost in the server direction. Client Retransmissions: The number of TCP retransmissions sent by the client. Server Retransmissions: The number TCP retransmissions sent by the server. Start: The timestamp of the first packet in the flow. Finish: The timestamp of the final packet in the flow. Duration: The elapsed time, from the first to the last packet in the flow. TCP Status: Notes whether the TCP session is open or closed. Columns: Displays a dialog that lets you enable/disable and organize columns. Show All Columns: Displays all available columns.
OmniPeek User Guide
Flow map
The flow map displays a graphical representation of the segments of the selected flow. Each segment in the flow is displayed from end-to-end (client on the left and the server on the right), along with timing statistics (average delay, minimum delay, and maximum delay) between each segment. Additionally, the hop count between each segment is also displayed (the little number inside the cloud between the segments).
Flow Map
Flow map viewing tips

Here are some useful tips when viewing the data inside the flow map:
Hover over segments names and clouds to view tooltips displaying more data. Press the Ctrl key and use your scroll wheel (Ctrl+Wheel) to change segment widths.
Flow map
217
Arrows show the direction in which data flows. The client and server arrows use the same colors as from Client/Server Colors (Tools > Options). The number in the clouds are hop counts, as determined by the Time to Live (TTL) values within the packets. If there is one number in the cloud, then both the client and server hops are the same. If there are two numbers in the cloud, then the client and server hops are different, indicating that the client and server paths are different. If there are multiple paths in one direction, no hop count is displayed for this direction. Hop counts greater than one are displayed in red. The TTL of each packet can be displayed in the Ladder diagram.
Ladder
The ladder diagram displays the flow of packets amongst the segments represented by the capture sources, along with information such as timing.
Ladder
OmniPeek User Guide
Ladder viewing tips

Here are some useful tips when viewing the data inside the ladder diagram:
Hover over packet boxes to view tooltips displaying more data. Arrows show the direction in which data flows. Green boxes are the packets that open the flow (SYN and SYN-ACK). Black boxes are packets with non-zero payload (packets that carry data). Gray boxes are packets that have zero payload (probably just ACK packets). Red boxes are packets that close the connection (FIN or RST). Right-click inside the diagram to show/hide additional statistics, or to adjust the time scale of the ladder. The following keyboard/scroll wheel shortcuts are available from the ladder display:
Wheel+Ctrl: Changes the time scale. Wheel+Ctrl+Shift: Zoom the time scale. Wheel+Ctrl+Shift+Alt: Change the segment width. Ctrl+Alt+Shift+F9: Save ladder display to text.
Creating an MSA project

To create an MSA project, you must use the MSA wizard. The MSA wizard guides you through the creation of an MSA project, and includes steps for setting up the project parameters and ultimately, displaying the MSA project window. There are multiple ways to start the MSA wizard. Additionally, depending on which way you start the wizard, there are multiple entry points to the MSA wizard. You can start the MSA wizard in the following ways:
From the File menu, choose New Multi-Segment Analysis Project. The MSA wizard appears, and prompts you to create an MSA project by either searching for packets on remote engines, or using packet files:
Searching for packets on remote engines: Select this option and the MSA wizard first guides you through choosing a time range to search, and a filter to apply (making a filter for IP/port pairs is recommended, though any filter supported by OmniPeek will work). Additional wizard screens guide you through choosing which OmniEngines and which capture sessions per OmniEngine you wish to search against. Finally, the wizard performs the search, and the relevant packets are downloaded to OmniPeek for analysis. From there, it works the same way it does for doing multiCreating an MSA project
219
segment analysis from files, except that the files are already entered for you (they're the files downloaded from the OmniEngines). You can reorder the segments, rename the segments, change the time offsets, and save the output to an .msa file.
Use packet files: Select this option and the MSA wizard guides you through choosing which files to use (one file per segment), and the time offsets between them. You can also name each segment, and reorder them. Then you can save the resulting project to an .msa file, which can be reloaded later. The .msa file contains all the analysis, so you don't have to do any of this setup again.
From the Packets view in the navigation pane: Right-click one or more packets and choose Multi-Segment Analysis. The MSA wizard appears and guides you through the creation of the MSA project, beginning with choosing a time range to search, and a filter to apply. From any of the Expert views (Clients/Servers, Flows, and Applications) in the navigation pane: Right-click one or more flows and choose Multi-Segment Analysis. The MSA wizard appears and guides you through the creation of the MSA project, beginning with choosing a time range to search, and a filter to apply. The Multi-Segment Analysis option only appears for IPv4 TCP flows. MSA does not support UDP or IPv6 flows. From any of the Web views (Servers, Clients, Pages, and Requests) in the navigation pane: Right-click one or more servers, clients, pages, and requests and choose MultiSegment Analysis. The MSA wizard appears and guides you through the creation of the MSA project, beginning with choosing a time range to search, and a filter to apply. From the Nodes and Protocols views in the navigation pane: Right-click one or more nodes or protocols and choose Multi-Segment Analysis. The MSA wizard appears and guides you through the creation of the MSA project, beginning with choosing a time range to search, and a filter to apply.
Important! The time it takes for OmniPeek to build and display an MSA project is dependent on the number of segments, the number of flows, and the number of packets in each flow. MSA includes a limit of 100,000 packets per flow (modifiable from Multi-Segment Analysis Options), but there is no hard limit to the number of segments or flows that can be included in a project. Be selective when choosing data for your MSA projects. If you find that an MSA project is taking too long to build, you can cancel out and reduce your data set.
220 Creating an MSA project
OmniPeek User Guide
Using the MSA wizard

The MSA wizard guides you through the creation of an MSA project. You can access the MSA wizard in numerous ways as described in Creating an MSA project on page 219. This section describes the various screens of the MSA wizard.
Create a new multi-segment analysis project

The Create a new Multi-Segment Analysis project dialog of the MSA wizard is available by choosing File > New Multi-Segment Analysis. The dialog lets you create a new multisegment analysis project from scratch.
Search for packets on remote engines: Select this option to create an MSA project based
on packets obtained from one or more OmniEngines.

Use packet files: Select this option to create an MSA project based on one or more packet
files.
Time range & filter

The Time Range & Filter dialog of the MSA wizard lets you choose a time range and filter to apply to your search.
Using the MSA wizard
221
Start time: Select or enter the start date and time of the range you wish to search. End time: Select or enter the end date and time of the range you wish to search. +/- seconds: Select or enter the number of seconds to the search both before the start time and after the end time. Duration: Displays the amount of time between the start and end time specified. Filter: Displays any filters currently defined for the search. Edit: Click to display the Edit Filter dialog, where you can define simple and advanced
filters based on any combination of addresses, protocols, and ports. A packet must match all of the conditions specified in order to match the filter.
Clear: Click to remove any filters currently defined for the search.
Engines
The Engines dialog displays the groups and OmniEngines currently listed in the OmniPeek OmniEngines window. If you had selected the option to Search for packets on remote engines earlier in the MSA wizard, the Engines dialog appears after clicking Next in the Time Range & Filter dialog of the MSA wizard.
222 Using the MSA wizard
OmniPeek User Guide
Select the check box of the OmniEngines you want to search in your MSA project. If you are not already connected to the OmniEngine, you are first prompted to connect to the OmniEngine by entering domain, username, and password information.
Enable all: Click this option to select the check box of all groups and OmniEngine displayed in the dialog. Disable all: Click this option to clear the check boxes of all groups and OmniEngines displayed in the dialog.
Capture sessions
The Capture Sessions dialog displays the capture sessions found in each of the of the selected OmniEngines. If you had selected the option to Search for packets on remote engines earlier in the MSA wizard, the Capture Sessions dialog appears after clicking Next in the Engines dialog of the MSA wizard. A separate *.wpz file is created for each capture session selected, and each file represents a different network segment. When performing multi-segment analysis, OmniPeek uses *.wpz files to build the MSA project.
Capture sessions
223
Column header: Displays the column headings currently selected. Right-click the column
header to enable/disable columns. Here are the available columns:
Engine/Capture Session: The capture sessions available from the OmniEngines
selected earlier. Select the check box of the capture sessions you want to search in your MSA project. OmniEngine captures that have both Capture to disk and Timeline Stats enabled in the capture options, and all TimeLine network recorder captures that have Capture to disk enabled in the capture options, appear in the Capture Sessions screen. (MSA-based forensic searches require Timeline Stats.)
Session Start Time: The start time of the capture. Data Start Time: The start time of when data first appeared in the capture. Data End Time: The end time of when data last appeared in the capture. Size: The size (in MB) of the capture session. Size is only displayed for TimeLine capture sessions. Packets: The number of packets in the capture session. Packets Dropped: The number of dropped packets in the capture session. Media: The media type of the capture session. Adapter: The name of the adapter used for the capture session. Adapter Address: The address of the adapter used for the capture session. Link Speed: The link speed of the adapter used for the capture session.
OmniPeek User Guide
Owner: The owner name of the adapter used for the capture session.
Enable all: Click this option to select the check box of all OmniEngine and capture sessions displayed in the dialog. Disable all: Click this option to clear the check box of all OmniEngine and capture sessions displayed in the dialog. Download files: Choose the location of where to save *.wpz files created for each of the
selected capture sessions.
Progress
The Progress dialog displays the status for saving *.wpz files used for multi-segment analysis. If you had selected the option to Search for packets on remote engines earlier in the MSA wizard, this dialog appears after clicking Next in the Capture Sessions dialog of the MSA wizard.
Each entry in the dialog lists the following:
OmniEngine and capture session name IP address and port Current status for each file
The progress status messages are as follows:

Search Progress: Progress of the forensic search, based on the time range and filter
specified in the Wizard

Progress
225
Saving: Search results are saved as a .wpz file on the engine Deleting Search: The forensic search is deleted on the engine Download Progress: The .wpz file is downloaded to the OmniPeek computer Deleting Remote File: The .wpz file is deleted from the engine Complete: The entire process is complete. Once you see Complete for all capture segments, click Next to continue building the MSA project
Tip You can cancel the progress of any one of the capture segments by right-clicking and selecting Cancel. You can cancel any of the above stages, except for the Saving stage.
Segments
This Segments dialog lets you add supported capture files captured on separate network segments to your MSA project. In order for the MSA analysis to display correctly in your flow maps and ladder diagrams, each segment file must be properly ordered by the route taken from client to server (when displayed in the flow map and ladder, the client is on the left and the server is on the right). You can manually choose to arrange the files in the dialog. Tip If you do not manually arrange the files by the route taken from client to server, you can use the auto-arrange feature available from the Analysis Options dialog. See MSA project analysis options on page 229.
Note When calculating the delay values for the flow map and ladder, MSA assumes that the client is on the left, and the server is on the right. If you create MSA projects that include multiple flows, all of the flows in the project should be initiated from the same direction. For example, flows initiated by two nodes on the private side of a firewall would be suitable to include in a single MSA project. Flows initiated by a node on the private side of a firewall, and flows initiated by a node on the public side of a firewall would not be suitable to include in a single MSA project.
OmniPeek User Guide
Insert: Click to insert a new segment. You will be prompted to name the segment and select a supported capture file. Edit: Click to edit a selected segment. You can choose to rename the segment or choose
another supported file for the segment.

Delete: Click to remove a selected segment. Move Up: Click to move a selected segment up in the ordered list of segments. You can also press (Shift or Ctrl)+Up Arrow to move the segment up in the list Move Down: Click to move a selected segment down in the ordered list of segments. You
can also press (Shift or Ctrl)+Down Arrow to move the segment down in the list.
Column Header: Displays the column headings currently selected. Right-click the column header to enable/disable columns. Here are the available columns:
Segment Name: The name of the segment. File: The location and file name of the segment.
Edit segment
This dialog lets you edit a selected segment.
Edit segment
227
Name: Displays the name of the segment. Type a different name to rename the segment. File: Displays the location and name of the segment file.
Project file
This Project File dialog lets you save the MSA project file (*.msa). Once saved, the MSA project window is displayed. Note If your MSA project window is blank, more than likely you have either selected a flow that is not supported by MSA (for example, UDP or IPv6), or it is a flow with fragmented packets.
Project file: Displays the location and MSA project file name (*.msa).
OmniPeek User Guide
MSA project analysis options

Once you have created or opened an existing MSA project window, you can access the MultiSegment Analysis Options dialog to edit segment, synchronization, and limit options. Additionally, you can add notes for the project. To edit MSA options: 1. Click Analysis Options in the MSA project window. The Multi-Segment Analysis Options dialog appears.
Insert: Click to insert a new segment. You will be prompted to name the segment and select a supported capture file. Edit: Click to edit a selected segment. You can choose to rename the segment or
choose another supported capture file.

Delete: Click to remove a selected segment. Move Up: Click to move a selected segment up in the ordered list of segments. Move Down: Click to move a selected segment down in the ordered list of segments.
MSA project analysis options
229
Auto Arrange: Click to arrange the segments in order from client to server based on
the TTL values in the packets. If you create MSA projects that include multiple flows, all of the flows in the project should be initiated from the same direction. If you create MSA projects that include NAT (Network Address Translation) segments, apply a Mapping Profile before selecting Auto Arrange.
Clear Manual Offsets: Click to set the manual offsets to zero. Column Header: Displays the column headings currently selected. Right-click the
column header to enable/disable columns. Here are the available columns:
Segment Name: The name of the segment. Calc. Offset: The automatically calculated synchronization offset for the
segment.
Manual Offset: The user-specified offset. A manual offset can be used instead of, or in addition to, the automatically calculated offset. Total Offset: The calculated offset plus the manual offset. Mapping Profile: The mapping profile associated with the segment. A mapping profile can be created to map private addresses/ports to public addresses/ports. See Creating a mapping profile on page 231. File: The location and packet file on which the MSA segment information is
based.
Columns: Displays a dialog that lets you enable/disable and organize columns. Show All Columns: Displays all available columns.
Disable auto synchronization: Select this option to disable automatically calculating
offset values.
Automatically calculate synchronization offsets: Select this option to enable
automatically calculating synchronization offset values. All OmniEngines should be set to the correct time, preferably through the use of an NTP server. But, even with the use of NTP servers, offsets may be needed to adjust for slight timing inaccuracies across OmniEngines. Automatic calculation of synchronization offsets is based on the TCP SYN and TCP SYN ACK packets. If a segment does not contain the SYN and SYN ACK packets, there will be a dash () in the Calc. Offset field. If the MSA project contains multiple flows, the automatic calculation of synchronization offsets is based on all flows.
Limits: Select this check box to enable the limit on the number of packets analyzed per
flow, and then enter or select the number of flows.

Notes: Type any notes to append to the MSA project.
230 MSA project analysis options
OmniPeek User Guide
3. Click OK.
Creating a mapping profile

A mapping profile is used to map private addresses/ports to public addresses/ports. Note If your project includes a Network Address Translation (NAT) segment, the auto-arrange feature should not be selected until you apply a mapping profile. To create a mapping profile: 1. From the MSA project window, click Analysis Options to display the Multi-Segment Analysis Options dialog. 2. Click inside the box in the Mapping Profile column for the desired segment. A popup menu appears. 3. Select New. The Mapping Profile dialog appears.
4. Complete the Mapping Profile dialog:
Name: Type a name for the profile. Insert: Click to display Address/Port Mapping dialog. Complete the dialog. Edit: Click to edit a selected mapping. The Address/Port Mapping dialog appears.
Complete the dialog.

Delete: Click to delete a selected mapping. Import: Click to import an MSA mapping file (*.xml). Export: Click to export a mapping profile to an MSA mapping file (*.xml). Swap: Click to swap directions of a selected mapping.
5. Click OK.
Creating a mapping profile
231
232 MSA project analysis options
CHAPTER Web Analysis

In this chapter:
10
About web analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Web view window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Timing column . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Web upper pane views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Web lower pane tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Configuring web views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
233
Chapter 10: Web Analysis
About web analysis

The Web views of an OmniPeek capture window display packet flow reconstruction of web requests and responses, allowing you to perform forensic searches by drilling down to individual images, files, and pages. Web data is arranged by server, client, page, or request, providing you with a primary focus for your investigation of the original web content. You can select an individual HTTP request and immediately view the corresponding details, header information, a graphic representation of an image, or a packet timing display of the individual packets and phases of that request. For more information on web packet timing displays, see Timing column on page 236 and Timing tab on page 246. Saving and opening web payloads or web statistics is immediately available through right-click options. See Web save functions on page 251. Note Web views are not supported in OmniEngine capture windows.
Web view window

The Web view window has two data areas. The upper pane displays the same data from four different points of view: by servers, clients, pages, and requests. Expanding the data in Servers, Clients, and Pages views displays the individual requests nested underneath. The lower pane of the Web view window contains four tabs which present additional information about selected rows in the upper panes: web details, client and server headers, the contents of a selected request, or a packet timing representing the packets and phases of an individual request. The parts of the Web view window are identified below.
234 About web analysis
OmniPeek User Guide Summary counts Timing column Refresh
Web views columns Upper pane web views (Pages view) Lower pane web tabs (Contents tab)
Summary counts: This area displays the total count of servers, clients, pages, and requests
in this capture.
Refresh: You can immediately update the currently displayed Web view with the latest information. You can also choose a refresh interval from the drop-down list. Web view columns: Right-click the column headers to select the columns you wish to
display. For more display options, see Web view columns on page 250. For a complete list and description of the available columns in the Web views, see Web view columns on page 476.
Timing column: Displays duration, packets, and phases of each HTTP request. The Timing
column is hidden by default. To display the column, right-click the column header and select Timing. For details, see Timing column on page 236.
Upper pane web views: This area displays web data in four formats: by server, client, page, and request. See Web upper pane views on page 239. Lower pane web tabs: This area displays additional information corresponding to a selected row or rows of upper pane data in the following four formats: web details, headers, contents, and packet timing. See Web lower pane tabs on page 243.
Web view window
235
Right-click options include:
Save Web Statistics: Save Web statistics to a .txt or .csv file. See Web save functions
on page 251.
Save Payload: Save payload to the local disk. See Save payload on page 251. Open Payload in Associated Viewer: Open payload directly from Web view. See Open
payload in associated viewer on page 252.

Select Related Packets: Select related packets by various options. See Web packet
selection on page 250.
Timing column
The Timing column shows abbreviated versions of the full packet timing graphs displayed in the Timing tab (see Timing tab on page 246). These packet timing graphs show the duration, packets, and phases of each HTTP request. To view the Timing column, right-click in the column header and select Timing.
Timing column
Timing tab
236 Timing column
OmniPeek User Guide
The following key describes the colors and phases of the packet timing:
Orange line: This represents the idle phase, either after SYN sets up the connection but
before first data packet, or after the last data packet but before FIN packets shut down the connection. Often there is little or no idle phase before the first data packet, but a long idle phase after the last packet. This occurs because most clients will keep a connection open in case they need to fetch more data from the server.
Blue line (default client color): This shows the request phase, when the client is sending its HTTP GET and waiting for a response. You can reset the client and server colors in the Client/Server view of the Options dialog. See Setting client/server colors on page 186. Green line (default server color): This shows the response phase, when the server is sending its data back to the client. You can reset the client and server colors in the Client/ Server view of the Options dialog. See Setting client/server colors on page 186. Purple line: This shows a reset connection, which is the idle period after the last data packet and the TCP RST packet. Tick marks: Individual server packets appear as tick marks above the packet timing.
Individual client packets appear as tick marks below the packet timing. Tick mark height corresponds to TCP payload length.
Timing column
237
The following provides examples of how to read phases of the packet timing:
Example
From left to right, an initial orange SYN packet from the client appears below the packet timing, which is almost immediately answered with an orange SYN packet from the server above the packet timing. There is an idle period where the packet timing remains in its orange SYN phase, and then a single blue client request packet appears. The server responds almost immediately with a block of tall green packets. Note: This request lacks a final orange FIN phase, so it is likely that this flow was reused for subsequent HTTP requests. The FIN phase appears after the last HTTP request on this same flow.
From left to right, a tiny orange SYN packet appears above the packet timing, from the server. This is directly above a tiny blue request packet below the packet timing, from the client. An orange SYN packet appears below the packet timing, from the client. There is a blue phase where the client waits for a response, eventually followed by green tick marks showing response packets from the server. The server then pauses a moment before sending the final packet and finishing the request.
In this example, a single blue packet appears below the packet timing, followed by a long purple idle period, and eventually a purple TCP RST packet from the client. This shows that the client requested some data, never heard back from the server, and eventually closed the connection with a TCP reset.
Packet counts in web views

The packet and byte counts in Web views will generally be less than those in the more packetoriented capture window views such as Nodes or Expert because:
Packet counters in Web views count only TCP data packets and TCP SYN/FIN/RST flags. They ignore ACK-only packets. Byte counters in Web views count only reassembled TCP payload bytes. They do not include MAC/IP/TCP header, FCS, or repeated data bytes. Byte counts in web views do include HTTP header bytes.
238 Timing column
OmniPeek User Guide
Web upper pane views

Servers view
The Servers view of a capture window lets you focus on which servers are being used. When the data is expanded, the list of servers is shown with nested information in the following hierarchy: the servers, the clients using those servers, the pages that each client requests, and the individual requests that make up each page.
Web upper pane views
239
Clients view
The Clients view of a capture window lets you focus on clients first, with nested information in the following hierarchy: the clients, the servers used by the clients, the pages that each client loads from each server, and the individual requests that make up each page.
240 Web upper pane views
OmniPeek User Guide
Pages view
The Pages view of a capture window shows a list of pages with each individual request that makes up that page nested underneath. When collapsed, this view presents a sortable list of every web page visit in the capture.
Pages view
241
Requests view
The Web Requests view of a capture window shows a flat list of individual HTTP requests (usually HTTP GETs and POSTs). This view shows each image, JavaScript, HTML file, and other HTTP request in the capture nested underneath.
Tip Along with relevant filters, this view can provide the quickest way to drill down to the raw data for analysis.
242 Web upper pane views
OmniPeek User Guide
Web lower pane tabs

Additional information is provided in the four lower pane tabs for each selected row in the upper pane of the Web view.
Details tab
The web Details tab lists information about the first selected row in the upper pane, including Host, Response Code, Referer, Content-Type, Request ID, and Flow ID. Data is displayed individually for client and server.
Web lower pane tabs
243
Headers tab
The web Headers tab displays HTTP headers for a selected request in client colors and its response in server colors.
Note The Headers tab displays data only when a single request is selected. Therefore, data in the Servers, Clients, or Pages views must be expanded in order to select a single request.
244 Web lower pane tabs
OmniPeek User Guide
Contents tab
The Contents tab displays the web page text, image, or HTML source text of the first selected request.
Note The Contents tab displays data only when a single request is selected. Therefore, data in the Servers, Clients, or Pages views must be expanded in order to select a single request.
Contents tab options

You can right-click inside the Contents tab to enable/disable the following options for viewing the reconstructed document selected in the upper panes:
Display HTML as Source Text: Displays the contents of a reconstructed document as
HTML source text.

Display HTML as HTML: Displays the contents of a reconstructed document as it would
appear when viewed in your browser.
Contents tab
245
Tip To display a reconstructed document as a complete HTML page, search for and select reconstructed documents that display text/html in the Content-Type column. Please note, however, that not every instance of text/html in the Content-Type column will display a complete HTML page.
JavaScript Execution: Enables embedded or linked scripts (JavaScript, VBScript, etc.) to
run in the browser.

ActiveX: Enables ActiveX controls to run in the browser. Background Sounds: Enables playing background sounds contained in the reconstructed
document.
Download Images: Enables viewing of images contained in the reconstructed document.
(Images are not downloaded from the Internet, but from other reconstructed flows.)
Timing tab
The Timing tab displays a packet timing of all the packets in the selected request row or rows. This tab lets you view all of the requests of a web page simultaneously, across multiple flows, multiple servers, and through time. You can view a complete HTML page load from start to finish, within a single graph, with packet-level precision. For examples of how to read the information displayed in the Timing tab, see Timing example of single request on page 248 and Timing example of multiple requests on page 249. The parts of the Timing tab display are described below.
OmniPeek User Guide Zoom Out Zoom In Zoom to Fit
Light/Dark Data tip
Selected requests
Packet display details
Zoom In: Click and drag a rectangle across the portion you want to see to zoom into a specific portion of the graph. Zoom Out: Click to decrease the display of the packet timing. Zoom to Fit: Click to render the entire packet timing within the available screen space. Light/Dark: Choose a light or dark background color for the packet timing display. Data tip: Hold the cursor over a point on the packet timing to view a data tip displaying
payload size, relative time, number of requests and responses.

Packet display details:
Client request packets appear below the grey packet timing. Server response packets appear above the grey packet timing. The size of packets are indicated by the size of the tick marks. Larger tick marks indicate larger packets.
Timing tab
247
Different packet colors identify TCP flags, HTTP warnings and errors, client and server packets. Reference bars at the bottom of the graph give a rough sense of scale.
Note HTTP timing graphs share the same tools with Visual Expert graphs. (See Visual Expert on page 192.) You can drag a rectangle to zoom, change colors to light or dark, and use the SHIFT or CAPSLOCK key to show a magnifier view of the graph.
Timing example of single request

Flow 1 in the following example contains a single request to http://wildpackets.com.
To view this flow:
Select http://www.wildpackets.com in the upper pane of the Web view window.
An initial pair of orange SYN packets starts this flow, one below the packet timing from the client, and one above the packet timing from the server. These are flag-only packets, since they do not touch the grey horizontal packet timing. The SYN connection packets are immediately followed by a single blue request packet below the packet timing: the request to GET /. The server immediately responds with a yellow warning packet (yellow packets are HTTP 300-399 warning responses). The 302 indicates that the page was found, but at a different location. The browser is therefore being redirected to http://www.wildpackets.com.
Note If this were an HTTP 400+ error such as 404 Page not found, the packet and number would appear in red.
The connection stays open, though idle, for about 15 seconds (1.5 times the length of the 10 seconds reference bar). A pair of FIN packets then close the TCP connection.
OmniPeek User Guide
Timing example of multiple requests

Flow 2 in this example contains multiple consecutive requests, starting with http:// wildpackets.com:
To view this flow: 1. Select http://www.wildpackets.com in the upper pane of the Web view window.
The clients initial SYN packet is obscured by the first blue request packet, but the servers SYN response is clearly visible. A blue client request packet is followed by several green response packets. The green response packets are probably maximum size, since they are close in height to the 1500 bytes reference bar. The cluster of green packets has additional green dots over the packets, indicating that multiple packets occupy the same screen pixel. One dot indicates one additional packet, two dots for two packets, and three dots for three or more additional packets. There are many of green packets here, indicating that this is a sizeable response. If you hold the mouse over the green packets, a tooltip shows that Request ID 2 squeezes 39 response packets and 45KB into that tiny space.
2. Zoom in to see that there are actually 18 complete request/response sequences in the first 20 pixels of horizontal space. Drag a rectangle around the cluster of packets to view the following image:
Timing tab
249
It is now possible to see the initial query and its many large response packets, then a series of six tiny requests, each with a short response that fits in a single packet. Eventually more queries fire, with different idle periods between them. You can also see that the time scale has changed, and that a 100 milliseconds reference bar shows that this entire sequence takes less than around 500 milliseconds. Note All of these request/responses happen on a single horizontal packet timing. This implies that the browser never queues up the next request until the previous response completes.
Configuring web views

You can customize the display of columns in the Web views, select packets for further analysis using a variety of options, and save web statistics or payloads in several formats.
Web view columns

Right-click in the column headers to select the columns you wish to display. Use drag and drop in the upper pane of the Web views to change column order. You can sort the contents of any column in ascending or descending order. Double-click the right edge of a column header to automatically resize the column area. Hold down the Shift key and double-click the right edge of any column header to automatically resize all of the columns. For a complete list and description of the columns common to all the Web views of a capture window, see Web view columns on page 476.
Web packet selection

Right-click and choose Select Related Packets in Web views by one of the following eight options:
By Client: This option selects all packets to or from the client IP address. By Server: This option selects all packets to or from the server IP address. By Client and Server: This option selects all packets between the client and server IP
addresses.
250 Configuring web views
OmniPeek User Guide
By Port: This option selects all packets between the client and server IP address and ports. (This option will usually produce the same results as selecting By Flow, unless a node pair reuses ports for multiple TCP connections.) By Flow: This option selects all packets in the flow identified in the Flow ID column. By Request: This option selects all client packets in the selected HTTP request. By Response: This option selects all server packets in the selected HTTP response. By Request and Response: This option selects all packets in the selected HTTP request
and response. Note Request, Response, and Request and Response packets also select TCP SYN packets for the first request on a flow, and FIN and RST packets for the last request on a flow. They do not select ACK-only packets. For more information on how to select related packets, see Selecting related packets on page 146.
Web save functions

You can choose to save web statistics or web requests in the Web views of a capture window.
Save web statistics

To save web statistics: 1. Right-click the request file in the upper pane of the Web view window and select Save Web Statistics. 2. Save the statistics in one of the following formats:
Text (view delimited) *.txt CSV (Comma delimited) *.csv
The content and arrangement of the saved files match the content of the pane being saved. You can hide or display optional columns or change column order to control the information that will be included in the saved file.
Save payload
You can save a single web request to the local disk.
Web save functions
251
To save a file: 1. Right-click the request file in the upper pane of the Web view window and select Save Payload(s) [filename]. 2. Browse to the location where you want to save the file(s). Filenames are automatically generated when multiple requests are selected and saved to the local disk.
Open payload in associated viewer

You can open a single request directly from the Web view of a capture window. To open a file in the associated viewer:
Right-click the request file in the upper pane of the Web view window and select Open Payload in Associated Viewer.
252 Configuring web views
CHAPTER Voice & Video Analysis

In this chapter:
11
About Voice & Video analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Voice & Video view window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Voice & Video upper pane views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Voice & Video lower pane tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Calls and Media options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Configuring options in Voice & Video views . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Summary voice and video statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
253
Chapter 11: Voice & Video Analysis
About Voice & Video analysis

If you have purchased OmniPeek Enterprise, voice and video over IP signaling and media is available for capture analysis. Voice over IP and Video over IP refer to protocol suites used to set up and maintain two way voice or video communications over the Internet. Voice and video protocol suites include those relating to SIP, SCCP, RTSP, H.323, Avaya, etc. The unit of communication is the call and an individual call may be carried in multiple channels, some dedicated to signaling and others to carrying the encoded voice data. The encoded data is referred to as media, and a call containing such data has media channels. Media channels contain RTP (Real-time Transport Protocol) or RTCP (RTP Control Protocol) data. The conversion of voice data into digital form and back again is accomplished using a particular codec (coder/decoder), specified in the RTP header. The Voice & Video views in capture windows provide simultaneous analysis of voice and video traffic with subjective and objective quality metrics. The Calls view displays one row for each call in a capture and the Media view displays one row for each RTP media flow in a call. Note OmniPeek voice and video analysis derives its call quality metrics from industry-standard Telchemy technology. The Voice & Video Visual Expert displays signal bounce diagrams of the signaling and RTP/ RTCP packets of an entire call in a single window. See Voice & Video Visual Expert on page 262.
Voice & Video view window

The Voice & Video views have two data areas. The upper pane contains voice and video data arranged by call or by the media streams within a call. See Voice & Video upper pane views on page 256. The lower pane contains three tabs which present additional information for a row or rows selected in the upper pane, allowing you to view call details, a summary count of the expert events found in the capture, or a capture log of the individual VoIP expert events. See Voice & Video lower pane tabs on page 258. The parts of the Voice & Video view window are identified below.
254 About Voice & Video analysis
OmniPeek User Guide Summary Counts Refresh Play Audio Playback Options EventFinder Settings
Upper pane views (Calls view)
Lower pane tabs (Details tab)
Summary counts: This area displays the current calls, total calls, and media flows in the capture. Current Calls reflect the calls that are currently displayed within the Calls view. Total Calls reflect all calls that have ever been displayed in the Calls view. Refresh: You can immediately update the currently displayed Voice & Video view with
the latest information. You can also choose a refresh interval from the drop-down list.
Play Audio: This button lets you play the audio from a call or media flow that has a
playback-supported codec. The button is only available when a selected call or media flow has a playback-supported codec.
Playback Options: This button opens the Media Playback Options dialog where you can adjust the jitter buffer settings. A jitter buffer temporarily stores arriving packets in order to minimize delay variations. If packets arrive too late then they are discarded. To make fine adjustments to the slider bar, click the slider bar and move to an approximate position, then use the arrow keys to get the exact value you want.
Voice & Video view window
255
For playback with best quality, clear the Use jitter buffer check box. OmniPeek will then play back the media as if there was an infinite jitter buffer. All RTP packets will be played back at a regular interval, and packets that arrive out of sequence will be re-ordered. To hear what the media sounds like with a specific buffer size, select the Use jitter buffer check box.
EventFinder Settings: This button opens the Expert EventFinder Settings dialog. The
EventFinder scans traffic in a capture window, looking for network anomalies and suboptimal performance at all layers of the network, from application to physical. It also shows network events associated with VoIP calls and the Apdex score.
Upper pane Voice & Video views: This area displays voice or video data arranged by calls
or media. See Calls view on page 256 and Media view on page 257. Additional options are available from these views by right-clicking a call or media flow. See Calls and Media options on page 261.
Lower pane Voice & Video tabs: This area displays additional information corresponding to a selected row of data in the upper pane. See Voice & Video lower pane tabs on page 258.
Voice & Video upper pane views

The upper pane contains captured voice data arranged in two formats: by individual call or by the individual media streams within a call. Tip In the upper pane, you can hover over one the colored globes for each call or media flow to display a tooltip showing the quality score key.
Calls view
The Calls view displays one row for each call. Each call is displayed in the order in which it was captured, with call number, call name, and end cause information. You can click any column header to sort by that column data. Note The Calls view has a 2000 call limit. Once the limit is reached, older calls are removed to allow for the new calls. Right-click the column header to display additional view columns. See Voice & Video view columns on page 270 and Voice & Video view columns on page 478 for a complete list and description of the available columns.
256 Voice & Video upper pane views
OmniPeek User Guide
To view a visual display of the call details, right-click a call and select Voice & Video Visual Expert (or double-click the call). See Voice & Video Visual Expert on page 262 for more information.
Media view
The Media view displays one row for each RTP media flow in a call. A voice call will usually have two media flows, one for each direction. Video calls will usually have four media flows: two voice and two video.
Media view
257
Right-click the column header to display additional view columns. SeeVoice & Video view columns on page 270 and Voice & Video view columns on page 478 for a complete list and description of the available columns, including those providing distinct voice and video quality scores.
Voice & Video lower pane tabs

Additional information is provided in nested tabs for selected calls or media flows displayed in the upper pane of the Voice & Video view.
258 Voice & Video lower pane tabs
OmniPeek User Guide
Voice & Video Details tab

In the Calls view, the Details tab contains all the information about the call. Every column in the Calls view is displayed in the Details tab.
Details tab
Note In the Media view, the Details tab displays details about the selected media flow and the call that contains it.
Voice & Video Details tab
259
Voice & Video Event Summary tab

The Event Summary tab shows a count of each expert event for this capture. Severity levels configured in the EventFinder are displayed to the left of each voice and video expert event. Selecting an event in the Event Summary tab will also highlight the corresponding flow or call in the upper pane. Note The Expert EventFinder contains many VoIP expert events, including those relating to H.225, MGCP, RTP, and SIP. For details, see Expert EventFinder on page 189.
Event Summary tab
260 Voice & Video lower pane tabs
OmniPeek User Guide
Voice & Video Event Log tab

The Event Log tab shows a list of all expert events found in this capture. The four toggle buttons in the Event Log tab header let you show or hide events by levels of severity. See Expert EventFinder on page 189 for instructions on how to configure levels of severity for voice and video expert events.
Event Log tab
Calls and Media options

You can right-click a call or media flow in the Calls or Media views to display the following options:
Voice & Video Visual Expert: Opens a Voice & Video Visual Expert window for the
selected call or media flow. See Voice & Video Visual Expert on page 262.
Save Voice & Video Statistics: Saves statistics for the entire list of calls or media flows to
a .txt or .csv file. See Saving voice and video statistics on page 267.
Play Audio: Opens the default media player and plays the selected call or media flow. See Playing calls or media as audio on page 268.
Voice & Video Event Log tab
261
Playback Options: Opens the Media Playback Options dialog where you can adjust the
jitter buffer settings.

Save Audio WAV File: Saves the selected call or media flow as a WAV file. See Saving calls or media as audio WAV files on page 268. Select Related Packets: Selects related packets of the selected call or media flow by call-
related options. See Selecting voice and video related packets on page 268.
Select Related Call (Media view only): Selects related calls of the selected media flow. Select Related Media (Calls view only): Selects related media of the selected call. Make Filter: Makes a filter based on the selected call or media flow. See Making a voice or video filter on page 269. Insert Into Name Table: Opens a dialog to add the selected call or media flow into the
Name Table. See Adding entries to the name table on page 364.
Resolve Names: Checks the DNS server for a name to match the supplied address. See OmniPeek name resolution on page 368. Show All Calls (Calls view only): Displays all calls in the Calls view. Show Open Calls (Calls view only): Displays only the open calls in the Calls view. Show Closed Calls (Calls view only): Displays only the closed calls in the Calls view. Show All Media Flows (Media view only): Displays all media flows in the Media view. Show Open Media Flows (Media view only): Displays only the media flows associated
with open calls.

Show Closed Media Flows (Media view only): Displays only the media flows associated
with closed calls.
Voice & Video Visual Expert

The Voice & Video Visual Expert displays each individual packet of an entire call within a single window, as well as the RTP packet timing, jitter, and quality score over time. If there are gaps of missing or late RTP packets, these gaps are also displayed, along with their effect on call quality. The Signaling tab of the Voice & Video Visual Expert window displays a signal bounce diagram with columns corresponding to each node participating in the call. Signaling and media stream packets are represented by horizontal lines, giving you an immediate overview of the contents of a call. The bounce diagram also includes linear representations as well as numerical measurements of R-Factor and jitter values.
262 Calls and Media options
OmniPeek User Guide
In addition to displaying many of the same columns available in the Calls and Media views, the Voice & Video Visual Expert contains columns that allow you to calculate the relative time lapse between individual packets, the signaling sequence method of the call, and more (see Voice & Video Visual Expert columns on page 482). Note The Voice & Video Visual Expert displays only calls, not individual media flows. Opening a Voice & Video Visual Expert window for one or more media flows is the same as opening their corresponding calls. To view the Voice & Video Visual Expert: 1. Select one or more calls or media flows in the Calls or Media views of a capture window. 2. Right-click and choose Voice & Video Visual Expert. The Signaling tab for this call or calls appears. The parts of the Signaling tab are described below.
Caller Gatekeeper Callee
Signaling packet
VoIP Visual Expert columns
Nodes: Each node participating in the call gets a vertical line, with the caller usually on
the left, the gatekeeper in the middle, and callee on the right.
Signaling packets:
263
Each signaling packet appears as a black horizontal arrow, with a summary above the arrow:
Packets that start a call (such as SIP INVITE packets) start with a small diamond:
Packets that usually mean the end of call setup (such as SIP ACK packets) start with a small bar. The time between these two packets is the call setup time.
RTP/RTCP packets: RTP/RTCP media packets appear as horizontal light grey arrows,
with a green R-Factor and blue jitter line graph above the arrow. See RTP/RTCP Rows on page 266.
Voice & Video Visual Expert columns: Right-click the column header to display available columns. For example, selecting Relative Time displays the time elapsed since the start of
the call and the individual signaling and RTP media packets:
OmniPeek User Guide Relative Time
For a complete list and description of Voice & Video Visual Expert columns, see Voice & Video Visual Expert columns on page 482.
Go To Packet: Show a selected packet in the Packets view and bring Packets view to
front.
Decode Packet: Open a decode window for the selected packet. Select Related Packets:
By Call: All signaling, media, and media control packets for the selected call By Source: All packets to or from the source IP address. By Destination: All packets to or from the destination IP address. By RTP/RTCP Packets: All packets in the RTP/RTCP row.
See Selecting related packets on page 146 for more information about using this feature.
Call background color: Each call gets its own background color in the bounce diagram,
making it possible to follow several simultaneous calls within a single window: 265
RTP/RTCP Rows
The media or voice streams (RTP/RTCP packets) within a call display in the Signaling tab as rows progressing through time, with the first packet in the row at the left to the last packet at the right. Since most calls are bidirectional, a pair of rows often appears with one row for each direction. The parts of the RTP/RTCP media packets in a bidirectional call are identified below.
Grey arrows and numbers: Grey horizontal arrows represent the RTP/RTCP media packets. The last packet in the row displays a small grey number showing the entire duration for the row. (Trivial durations are not shown for very brief rows.) Green lines and numbers: Green horizontal lines show R-Factor conversational values, with the rows final value and minimum-maximum range in green to the right of the last packet in the row.
OmniPeek User Guide
Blue lines and numbers: Blue lines show jitter values, with the rows final value and minimum-maximum range in blue to the right of the last packet in the row. Blue tick marks: Blue tick marks represent RTCP packets. Grey tick marks: Grey tick marks represent out-of-sequence RTP packets. Red tick mark: Red tick marks show gaps of one or more missing packets.
Note Gaps where no packets appear are readily visible, as well as their immediate effects of lowering R-Factor and raising jitter values. As you widen the bounce diagram column, the Voice & Video Visual Expert can break an RTP line into its individual packets, as shown below:
Saving voice and video statistics

To save voice and video statistics, right-click the call or media flow in the Calls or Media views, and choose Save Voice & Video Statistics. You can save statistics in the following formats:
Text (tab delimited) *.txt CSV (Comma delimited) *.csv
The content and arrangement of the saved files matches the content of the pane being saved. You can hide or display optional columns or change the column order to control the information that will be included in the saved file.
Saving voice and video statistics
267
Playing calls or media as audio

To play the audio, right-click the call or media flow in the Calls or Media views, and choose Play Audio (you can also select the call or media flow and click the Play Audio button in the upper pane header). The default media player starts and begins playing the audio of the selected call. Note The Play Audio option is only available when a selected call or media flow has a playbacksupported codec. You can click the Playback Options button to open the Media Playback Options dialog where you can adjust the jitter buffer settings. A jitter buffer temporarily stores arriving packets in order to minimize delay variations. If packets arrive too late then they are discarded. To make fine adjustments to the slider bar, click the slider bar and move to an approximate position, then use the arrow keys to get the exact value you want. For playback with best quality, clear the Use jitter buffer check box. OmniPeek will then play back the media as if there was an infinite jitter buffer. All RTP packets will be played back at a regular interval, and packets that arrive out of sequence will be re-ordered. To hear what the media sounds like with a specific buffer size, select the Use jitter buffer check box.
Saving calls or media as audio WAV files

To save as an audio WAV file, right-click the call or media flow in the Calls or Media views, and choose Save Audio WAV File. Note The Save Audio WAV File option is only available when a selected call or media flow has a playback-supported codec.
Selecting voice and video related packets

To select related packets, right-click the call or media flow in the Calls or Media views, and choose Select Related Packets. You can select packets using one of the following options:
By Call: All packets in this call. Includes all signaling, media, and media control packets. By Caller: All packets to or from the callers IP address By Callee: All packets to or from the callees IP address By Port: All packets between the client and server IP address and ports (usually the same as Flow, but not always if a node pair reuses ports for multiple TCP or UDP connections)
OmniPeek User Guide
By Flow ID: All packets in the flow identified in the Flow ID column By Media Flow: All packets in the media flow
For more information on how to select related packets, see Selecting related packets on page 146.
Making a voice or video filter

Filters are easy to create for calls and media flows. For calls, you can create an address filter between caller and callee, caller and gateway, and gateway and callee. If these are three separate nodes, an advanced filter with three bidirectional address filters will be created, as shown in the example below. To make a filter for a selected call: 1. Select a call in the Calls view of a capture window. 2. Right-click and choose Make Filter. If the call includes a Gatekeeper, the Advanced view of the Insert Filter dialog appears. In this example, three bidirectional address filters displayed. 3. Enter a Name for your filter.
4. Click the And, Or, or Not buttons to further define your filter. 5. Click OK. Your filter will now appear in all filter lists in the program. For media flows, you can create an address or port filter for the selected media flow.
Making a voice or video filter
269
To create a filter for a media flow: 1. Select a media flow in the Media view of a capture window. 2. Right-click and choose Make Filter. The Simple view of the Insert Filter dialog appears with the address and port details entered for this media flow. 3. Enter a Name for your filter. 4. Click OK. Your filter will now appear in all filter lists in the program. Tip Choosing Select Related Packets by Call often results in more precision than creating a filter by media flow. See Selecting voice and video related packets on page 268 for more information.
Configuring options in Voice & Video views

You can customize the display of columns in the Voice & Video views, select packets for further analysis using a variety of options, and save voice and video statistics in several formats.
Voice & Video view columns

To change the display of columns in the Calls, Media, and Voice & Video Visual Expert views:
Right-click in the column headers to select the columns you wish to display. You can also select Show All Columns to have all columns appear in the Voice & Video view. Use drag and drop in the upper pane of the Voice & Video views to change column order. Sort the contents of any column in ascending or descending order. Double-click the right edge of a column header to automatically resize the column area. Hold down the Shift key and double-click the right edge of any column header to automatically resize all of the columns. Right-click in the column headers and select Columns. The Columns dialog appears. Check the columns you wish to display in the Voice & Video views and click OK.
Tip Right-click to Check All or Uncheck All columns in the Columns dialog. For a complete list and description of the columns common to the Voice & Video views of a capture window, see Voice & Video view columns on page 478. For additional columns available only in the Voice & Video Visual Expert, see Voice & Video Visual Expert columns on page 482. 270 Configuring options in Voice & Video views
OmniPeek User Guide
Note Some calls lack values for all columns. This is especially true for calls where the RTP media flows are detected, but the signaling protocol associated with the call is not detected or not supported in the Voice & Video views.
Setting VoIP options

You can select a geographical region and VoIP emulation model to use when calculating VoIP quality scores. To select a geographical region for Voice & Video views: 1. Choose Tools > Options. The Options dialog appears. 2. Select the VoIP options. 3. Select a geographical region from the drop-down list and click OK.
4. Restart OmniPeek to enable the new geographical region setting.
Summary voice and video statistics

Summary voice and video statistics are displayed in the Summary view of capture windows and saved capture files. A Voice & Video summary statistics group displays values collected and aggregated across all calls within the capture or file. To view summary Voice & Video statistics: 1. Select the Summary view in a capture window.
Setting VoIP options
271
2. Scroll to Voice & Video to see summary voice and video statistics for this capture. The following table describes each voice and video statistic displayed in the Summary view:
Voice and Video Statistic Total Calls Current Calls Open Calls Closed Calls Recycled Calls Max Calls Time
Description All calls for the capture. Includes opened and closed calls, as well as recycled calls. Calls currently displayed in the Calls view. Calls (Current) = Calls (Total) Calls (Recycled). Open calls currently displayed in the Calls view. Closed calls currently displayed in the Calls view. Calls that are no longer in the Calls view. The call limit is 2000. After 2000 calls, calls are recycled. Calls (Recycled) = Calls (Total) Calls (Current). Max Calls Time references the point in time when OmniPeeks maximum call limit was reached. Once the maximum call limit has been reached, closed calls (and their respective media flows) drop out of the Calls/Media views as new calls come in. Expected but never received packets as a percentage of expected packets (expected - captured) / (expected). Calculated using all media flows (supported codecs only) for all closed calls. Total number of voice media flows (supported codecs only) for all closed calls. Expected but never received packets as a percentage of expected packets (expected - captured) / (expected). Calculated using all voice score elements. MOS score calculated under the assumption that this is a one-way listen only media flow. MOS score calculated under the assumption that this is an interactive conversation media flow. MOS score calculated using a model that permits apples-to-apples comparisons with other MOS-PQ measurements. R-Factor calculated under the assumption that this is a one-way listen only media flow.
Total Packet Loss % Voice Score Elements Voice Packet Loss % MOS-LQ MOS-CQ MOS-PQ R Factor Listening
272 Summary voice and video statistics
OmniPeek User Guide
Voice and Video Statistic R Factor Conversational R Factor G.107 Audio Score Elements Audio Packet Loss % VS-AQ
Description R-Factor calculated under the assumption that this is an interactive conversation media flow. R-Factor calculated using an ITU G.107 model that permits apples-to-apples comparisons with other G.107 measurements. Total number of audio media flows (supported codecs only) for all closed calls. Expected but never received packets as a percentage of expected packets (expected - captured) / (expected). Calculated using all audio score elements. Video Service Audio Quality expressed as a score in the range of 0 to 50. This is an audio codec dependent measure related to the subjective quality of the decoded audio stream. The video service audio quality expressed as a score in the range 1.0 to 5.0. This is an audio codec dependant measure related to the subjective quality of the decoded audio stream(s). Total number of video media flows (supported codecs only) for all closed calls. Expected but never received packets as a percentage of expected packets (expected - captured) / (expected). Calculated using all video score elements. Video Service Picture Quality expressed in the range 0 to 50. This is a codec dependent measure of the subjective quality of the decoded video stream. Video Service Multimedia Quality expressed as a score in range 0 to 50. This is a composite audio/video measure related to the overall subjective user experience and considers picture quality, audio quality and audio/video synchronization. Video Service Transmission Quality expressed as a score in the range 0 to 50. This is a codec independent measure related to the ability of the bearer channel to support reliable video.
MOS-A (MOS-Audio) Video Score Elements Video Packet Loss % VS-PQ VS-MQ
VS-TQ
Summary voice and video statistics
273
Voice and Video Statistic MOS-AV (MOS-Audio Video) MOS-V (MOS-Video)
Description The multimedia quality expressed as a score in the range 1.0 to 5.0. This is a composite audio/video measure that is related to the overall subjective user experience and considers picture quality, audio quality and audio/video synchronization. The absolute picture quality expressed as a score in the range 1.0 to 5.0. This is a codec dependant measure that is related to the subjective quality of the decoded video stream and considers the effects of codec, loss, bit rate/ quantization level, image resolution and frame loss concealment.
For more information on voice and video statistics in the Summary view of capture windows, see Summary statistics on page 291.
274 Summary voice and video statistics
CHAPTER Displaying and Reporting Statistics

In this chapter:
12
About statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Monitoring network statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Viewing capture window statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Configuring statistics displays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Saving statistics output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Node statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Protocol statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Network statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Size statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Summary statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 History statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Channel statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 WLAN statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Signal statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Generating statistics output reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Viewing statistics output reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
275
Chapter 12: Displaying and Reporting Statistics
About statistics
A variety of key statistics can be calculated in real time and presented in intuitive graphical displays. Monitor statistics are available from the Monitor menu that provide data about the overall health of your network and can also be used to isolate potential problems and describe trends before they impact the end-user community. Additionally, statistics are available from each capture window that allow you to monitor just the packets captured into the buffer of that particular capture window. Tip You can save, copy, print, or automatically generate periodic reports on these statistics in a variety of formats. See Saving statistics output on page 280.
Monitoring network statistics

The monitor statistics available from the Monitor menu allow you to monitor the overall health of your network. Monitor statistics continuously accumulate data while the program is running and are not affected by any sort of filters configured for individual capture windows. Note For an OmniEngine, you can use a Monitoring Capture template that lets you create a capture window optimized for providing statistics, based on traffic seen on the adapter selected for that remote capture. For details, see Monitoring capture on an OmniEngine on page 56. To view monitor statistics: 1. Make sure a supported adapter is selected as the monitor adapter. See Configuring monitor options on page 277. 2. Make sure Monitor Statistics is enabled in the Monitor menu. 3. Choose the monitor statistic to view from the Monitor menu:
Node: Node statistics display real-time data organized by network node. See Node
statistics on page 281.

Protocols: Protocols statistics show network traffic volume, in packets and in bytes, broken down by protocol and subprotocol. See Protocol statistics on page 284. Network: Network statistics show network utilization, traffic volume, and error rate as analog dials and as data in tables. See Network statistics on page 288. Size: Size statistics displays a Packet Size Distribution graph that shows the percentage of packets grouped by packet size. See Size statistics on page 290.
276 About statistics
OmniPeek User Guide
Summary: Summary statistics allows you to monitor key network statistics in real time and save those statistics for later comparison. See Summary statistics on page 291. History: History statistics displays a graph of network performance at selected
intervals over time. See History statistics on page 293.

Channel: When a supported wireless adapter is selected as the monitor adapter,
Channel statistics show a variety of statistics and counts for each channel of the WLAN band. See Channel statistics on page 295.
WLAN: When a supported wireless adapter is selected as the monitor adapter, WLAN
statistics displays an SSID (Service Set Identifier) tree view of wireless nodes. See WLAN statistics on page 297. Note You can display all of the monitor statistics windows at the same time; however, if they are all displaying information in real time during capture and the network is busy, the program might not have enough time to process captured packets. This can cause statistics to lag behind actual network activity or cause packets to be dropped. For information about customizing the display of Monitor statistics windows, see Configuring statistics displays on page 280.
Configuring monitor options

The Monitor Options dialog allows you to select and configure the monitor adapter, set up how statistics output is generated, and optimize performance by enabling or disabling specific program functions. To configure monitor options: 1. Choose Monitor > Monitor Options. The Monitor Options dialog opens to the Adapter options.
Configuring monitor options
277
2. Select the desired Monitor option to configure in the left pane:
Adapter: This option lets you choose an adapter as the source for your monitor
statistics. All recognized adapters for the current computer are displayed here. See Creating an OmniPeek capture window on page 30.
802.11: If a supported wireless adapter is selected as the adapter for your monitor statistics, these options let you specify the channel settings used by the adapter to listen for traffic on your 802.11 WLAN. You can choose to listen for traffic occurring on a specific channel, or range of channels; or you can listen for traffic associated with a specific BSSID (Basic Service Set Identifier) or ESSID (Extended Service Set Identifier). Additionally, this view lets you select Key Sets used for 802.11 security. See Configuring wireless channels and encryption on page 414. Hardware Profiles: If a supported Gigabit analyzer card is selected as the adapter for
your monitor statistics, these options lets you define and manage hardware profiles used by the adapter. See Configuring hardware profiles for OmniAdapters on page 426.
Statistics Output: These options let you configure settings for statistics output from capture windows, capture files, and monitor statistics. These statistics output can be periodically saved as PDF, CSV, HTML or in a variety of text formats. See Saving statistics output on page 280. Analysis Options: These options let you enable or disable individual program functions for the selected adapter. Disabling program functions will free up system resources resulting in faster performance. See Optimizing capture performance on page 411.
3. Click OK to accept your changes.
278 Monitoring network statistics
OmniPeek User Guide
Viewing capture window statistics

Unlike monitor statistics which are based on all of the packets continuously going across the network, capture window statistics are based on the actual packets accepted into the buffer of that particular capture window since capture began, even if some of the packets may have been dumped, overwritten, or saved to a separate file (depending on the options you set in the General view of the Capture Options dialog). Note For an OmniEngine, you can use a Monitoring Capture template that lets you create a capture window optimized for providing statistics, based on traffic seen on the adapter selected for that remote capture. For details, see Monitoring capture on an OmniEngine on page 56. To view capture window statistics: 1. Start a capture to open a capture window. See Chapter 3, The Capture Window. 2. From the navigation pane of a capture window, choose the statistic to view:
Nodes: Node statistics display real-time data organized by network node. See Node
statistics on page 281.

Protocols: Protocols statistics show network traffic volume, in packets and in bytes, broken down by protocol and subprotocol. See Protocol statistics on page 284. Summary: Summary statistics allows you to monitor key network statistics in real time and save those statistics for later comparison. See Summary statistics on page 291. WLAN: When a supported wireless adapter is selected as the monitor adapter, WLAN
statistics displays an SSID (Service Set Identifier) tree view of wireless nodes. See WLAN statistics on page 297.
Channel: When a supported wireless adapter is selected as the monitor adapter,
Channel statistics show a variety of statistics and counts for each channel of the WLAN band. See Channel statistics on page 295.
Signals: When a supported wireless adapter is selected as the monitor adapter, Signal
statistics displays continuously updated graphs of wireless traffic signal strength. Signal statistics on page 300. Note WLAN, Channel, and Signal statistics are available only when a supported wireless adapter is selected as the monitor adapter.
Viewing capture window statistics
279
Configuring statistics displays

Various options are available to customize how text and color appear in the different statistics views. Configuring these options allow you to more easily visualize and recognize the data being reported.
View options for statistics

To customize the display of statistics views, choose Tools > Options to open the Options dialog, and then configure the following options:
List Views: Let you customize background color and the style of vertical and horizontal lines in all list displays. Fonts: Specifies the font and style of the data text in all views of the program.
Controlling color in statistics lists

The Color submenu of the View menu uses the color information from the following sources and applies it to the display of nodes and protocols in statistics lists:
The Insert or Edit Name dialog in the Name Table can set the color for packets associated with a particular address (node), port, or protocol. ProtoSpecs assigns colors to all the protocols it knows how to identify. (See ProtoSpecs on page 287.)
For more about how colors are assigned to packet lists and statistics displays, see Configuring color options on page 410.
Saving statistics output

Monitor statistics or capture window statistics can be saved to text files, generated as reports at periodic intervals, or printed out.
Saving statistics
To save a statistics window as a text file: 1. Make the desired statistics window the active window, and do any of the following:
Right-click the statistics window and choose Save X Statistics, where X is the name of the statistics window. Choose File > Save X Statistics, where X is the name of the statistics window.
2. Save the file as a tab delimited (*.txt) or comma delimited (*.csv) text file.
280 Configuring statistics displays
OmniPeek User Guide
Generating statistics reports

Statistics reports can be generated and saved at periodic intervals by using the Statistics Output view of the Capture Options dialog. You can save these statistics reports as PDF, CSV, or HTML files that can be viewed with a browser, or as text files that you can import into a spreadsheet or database program for further processing. In addition, you can save these statistics reports as a PDF file. See Generating statistics output reports on page 302.
Printing statistics
You can print any statistics window or details windows except the Network Statistics window. To print a monitor statistics window or capture window statistics view: 1. Make the desired statistics window the active window. 2. Choose File > Print.
Node statistics
Node statistics display real-time data organized by network node. You can view Node statistics in a hierarchy view or in a variety of flat views. Node statistics are available for the entire network and for a capture window. To view Node Statistics for the entire network, do one of the following:
Choose Monitor > Nodes. Click the Node Statistics button in the main program window toolbar. Select Nodes in the navigation pane of a capture window.
To view Node statistics for a capture window:
Generating statistics reports
281
Chapter 12: Displaying and Reporting Statistics Node Details Make Filter Insert Into Name Table Sent, Received, Both Resolve Names Display Top View Type Graph Refresh Nodes Make Alarm
The parts of the Node Statistics window are described below.
Nodes: Shows total count of nodes seen. View Type: Choose a Hierarchy, or flat type (Physical, IP, IPv6, AppleTalk, DECnet, IPX) of display. Refresh: Set display refresh interval. If interval is set to Manual, display will update only when Refresh button is clicked. Display Top: Limit display to top 5, 10, 20, 50, or 100 nodes seen, as measured by
traffic volume.
Display Sent/Received/Both: Limit display to packets Sent, Received, or both. Node Details: Opens Detail Statistics window. See Viewing details for a network node
on page 283. 282 Node statistics
OmniPeek User Guide
Make Filter: Opens Insert Filter dialog. See Creating filters with the Make Filter
command on page 128.

Insert Into Name Table: Opens Node Address dialog. See Adding entries to the name
table on page 364.

Resolve Names: Click to resolve name, if one exists in the Name Table for this address. Graph: Opens the Graph Data Options dialog. See Graph display options on page 338. Make Alarm: Opens the Make Alarm dialog. See Creating and editing alarms on page
348.
Hierarchy view of nodes

To view Node statistics in a hierarchy view, choose the Hierarchy display type in the header of the Node statistics window. The Hierarchy view lists network nodes or devices by their physical address, the associated logical addresses communicating with them, and the statistics associated with those nodes. See Nodes statistics columns on page 483 for a complete list and description of the column headings found in the Hierarchy view of Network statistics.
Flat views of nodes

To view Node statistics in a variety of flat views, choose the Physical, IP, IPv6, AppleTalk, DECnet, or IPX display type in the header of the Node statistics window. These flat views list the nodes of the selected type and the statistics associated with those nodes. See Nodes statistics columns on page 483 for a complete list and description of the column headings found in the flat views of the Network statistics.
Viewing details for a network node

Double-click a node to see more detail about the activity for the selected node and the protocols it is using (or right-click the node and choose Node Details).
Hierarchy view of nodes
283
The additional detail includes:
Details of communications partners for this node. A hierarchical list of protocols used by this node and its communications partners. For details on display conventions, see Protocol utilization statistics on page 286. The Total packets and Total bytes for this node. Network Load (kbits/s) attributed to this node.
Largest packet, Smallest packet and Average packet size for the specific node or
protocol. Note Frame Relay frames specify only one Data Link Connection Identifier (DLCI). The Detail Statistics views of a node provide information on pairs of nodes.
Protocol statistics
Protocol statistics show network traffic volume, in packets and in bytes, broken down by protocol and subprotocol. You can view Protocol statistics in a hierarchical or flat view. Protocol statistics are available for the entire network and for a capture window.
284 Protocol statistics
OmniPeek User Guide
To view Protocol statistics for the entire network, do one of the following:
Choose Monitor > Protocols. Click the Protocols Statistics button in the main program window toolbar. Select Protocols in the navigation pane of a capture window.
To view Protocol statistics for a capture window: The parts of the Protocols Statistics window are described below.
Protocol Details Display Top Refresh Make Filter Insert Into Name Table Resolve Names Make Alarm
View Type Protocols
Protocols: Shows total count of protocols seen. View Type: Choose a Hierarchy or Flat type of display.
Protocol statistics
285
Refresh: Set display refresh interval. If interval is set to Manual, display will update only when Refresh button is clicked. Display Top: Limit display to top 5, 10, 20, 50, or 100 protocols seen, as measured by
traffic volume.
Protocol Details: Opens Detail Statistics window. Make Filter: Opens Insert Filter dialog. See Creating filters with the Make Filter

Insert Into Name Table: Adds the selected protocol to the Name Table. Graph: Opens the Graph Data Options dialog. See Chapter 14, Creating Graphs. Make Alarm: (OmniPeek console only) Opens the Make Alarm dialog. See Chapter 15, Setting Alarms and Triggers.
Tip For a description of a particular protocol or subprotocol, right-click the protocol in any window where it is shown, and choose Protocol Description.
Hierarchy view of protocols

To view Protocols statistics in a hierarchy view, choose the Hierarchical display type in the header of the Protocol statistics window. In the Hierarchy view, subprotocols are nested under more fundamental protocols such as TCP or UDP and IP. The root of each hierarchy is the base protocol (the one closest to the physical layer).
Protocol utilization statistics

When the Hierarchy view is collapsed, the utilization statistics show the sum of all subprotocols within that protocol. When the Hierarchy view is expanded, utilization statistics are broken out by individual subprotocol. The top-level protocol then shows statistics only for itself and for any subprotocols that seem to be a part of the top-level protocol, but that are not uniquely defined by ProtoSpecs. Statistics that do not belong to any of the recognized subprotocols are added to the totals for the parent protocol. This allows statistics for unrecognized subprotocols to be included in the totals with as much precision as possible.
Flat view of protocols

To view Protocol statistics in a flat view, choose the Flat display type in the header of the Protocol statistics window. The Flat view of Protocol statistics recognizes the same protocols as in the Hierarchy view, but displays all protocol information as a flat list.
286 Protocol statistics
OmniPeek User Guide
ProtoSpecs
ProtoSpecs is a feature of OmniPeek that quickly and accurately identifies the protocols nested within packets. ProtoSpecs uses multiple identifiers within a packet to create a tree-structure that specifies a top-level protocol (such as IP) and subprotocols that it contains (such as FTP or SNMP). You can see this structure in the Hierarchy view of the Protocols tab. The protocol hierarchy is rooted in the network medium of the selected adapter (or the adapter used to capture the file). When the program cannot identify a subprotocol, it lists the protocol with other unidentified types at the highest known protocol level. You can add new protocol discrimination definitions to the ProtoSpecs hierarchy. Please visit http://mypeek.wildpackets.com for SDK information.
Viewing details for a protocol

You can double-click a protocol to see more detail about the traffic in a particular protocol (or right-click the protocol and choose Protocol Details). This opens a Detail Statistics window.
This window displays more detail about the nodes and the selected protocol. The additional detail includes:
Details for nodes communicating in this protocol (and its subprotocols, if any).
ProtoSpecs
287
The relative percentage of traffic represented by any subprotocols. The Total packets and Total bytes of traffic for this protocol. Network Load (kbits/s) used by the protocol (and its subprotocols, if any).
Largest packet, Smallest packet and Average packet size for the protocol.
Note The bar graph in this detail window lists all nodes receiving or sending packets of the selected protocol type, their respective percentage share of the protocol traffic, and the number of packets that percentage represents.
Network statistics
Network statistics shows key statistics for the network as analog gauges (Gauge tab), or as raw data (Value tab). Network statistics are available for the entire network only. Note The Network dashboard of a capture window displays statistics similar to Network statistics. See Network dashboard on page 63. To view Network statistics for the network:
Choose Monitor > Network. Click the Network Statistics button in the main program window toolbar.
A Network statistics window appears at the bottom of the main program window. The parts of a Network Statistics window are described below.
288 Network statistics
OmniPeek User Guide
The Gauge tab of the Network Statistics window displays three analog dials with corresponding digital displays at their centers. A history graph under the gauges displays maximum (red line) and average (yellow line) values. The three analog dials include the following:
Network utilization (percent of capacity) Traffic volume (packets per second) Error rate (total errors per second)
Duration: This parameter shows elapsed time in hours:minutes:seconds: format
The Value tab displays tables with the following information: since you started collecting Monitor statistics.
Packets received: This parameter shows packets received since you started collecting
Monitor statistics.
Bytes received: This parameter shows bytes received since you started collecting Monitor statistics.
Network statistics
289
Multicast: This parameter shows packets addressed to multicast addresses since you
started collecting Monitor statistics.

Broadcast: This parameter shows packets addressed to broadcast addresses since you
started collecting Monitor statistics.

Error Type: This table shows counts of error packets.
Note If an OmniAdapter is selected as the monitor adapter, network statistics are collected directly by the card and are not affected by filters and packet slicing set on the card. Network Statistics, including error counts, and the Channel groups in Summary Statistics are updated by polling the statistics collected by the card.
Size statistics
Size statistics displays a Packet Size Distribution graph that shows the percentage of packets grouped by packet size. Size statistics are available for the entire network only. Note You can create Graphs in a capture window that show data similar to the data in Size statistics. See Chapter 14, Creating Graphs. To view Size statistics for the Network:
Choose Monitor > Size. Click the Size Statistics button in the main program window toolbar.
The parts of the Size Statistics window are identified below.
290 Size statistics
OmniPeek User Guide Bar Options Pie Pause
Pie: Click to choose a pie chart display. Bar: Click to choose a bar chart display. Options: Click to open the Size Statistics Display Options dialog to configure Type and Color options. Pause: Click to temporarily suspend chart updates.
Summary statistics
Summary statistics allows you to monitor key network statistics in real time and save those statistics for later comparison. Summary statistics are available for the entire network and for a capture window. To view Summary statistics for the network:
Choose Monitor > Summary. Click the Summary Statistics button in the toolbar of the main program window. Select Summary in the navigation pane of a capture window.
To view Summary statistics for a capture window:
Summary statistics
291
The parts of a Summary Statistics window are identified below.

Units Snapshot Pause Graph Make Alarm
Units: Select units in which the statistics are displayed. Pause: (OmniPeek console only) Operates as a toggle to temporarily suspend scrolling or screen re-draw due to data update in the statistics list or graph. Snapshot: Saves current statistics values for side by side comparison with future values. Unique to the Summary tab. Graph: Opens the Graph Data Options dialog. See Chapter 14, Creating Graphs. Make Alarm: Opens the Make Alarm dialog to define the parameters for establishing and resolving alarm conditions based on the selected Summary statistics item. See Chapter 15, Setting Alarms and Triggers.
Reported statistics will vary depending on the adapter and driver in use.
292 Summary statistics
OmniPeek User Guide
Note Statistics provided by Analysis Modules and by the Expert must be enabled in the Analysis Modules view of the Options dialog in order to contribute to the Summary view. These functions can be enabled or disabled in the Analysis Options view of the Capture Options dialog when the individual capture window is created. See Optimizing capture performance on page 411.
Creating snapshots of summary statistics

Use the snapshot feature to baseline normal network activity, save the data as a snapshot, and then compare these saved statistics with those observed during periods of erratic network behavior. To create a new Summary Statistics Snapshot:
Click the Snapshot button. A new column labeled Snapshot 1 will appear to the right of the column labeled Current. (Click the Snapshot button again to create subsequent snapshots.) Right-click the column you wish to delete and choose Delete (choose Delete All Snapshots to clear all).
To delete a Summary Statistics Snapshot:
History statistics
History statistics displays a graph of network performance at selected intervals over time. The scale can be fixed, or it can be dynamically adjusted to cover only the range of values encountered so far. History statistics are available for the network only and not individual capture windows. Note You can create graphs in a capture window that show data similar to the data in History statistics. See Chapter 14, Creating Graphs. To view History statistics for the network:
Choose Monitor > History. Click the History Statistics button in the main program window toolbar.
The parts of the History Statistics window are identified below.
Creating snapshots of summary statistics
293
Chapter 12: Displaying and Reporting Statistics Area Line/Points Bar Line Options Pause
Units
Interval
Units: You can choose to measure performance as Utilization (percent of capacity as set in the Network Speed dialog), or as Packets/second or Bytes/second. Interval: You can choose how the historical data is displayed by selecting a sampling
interval.
Bar: Displays History statistics as a bar graph. Area: Displays History statistics as an area graph. Line: Displays History statistics as a line graph. Line/Points: Displays History statistics as a line/points graph. Options: Opens the History Statistics Display Options dialog box to configure Type, Color, and Scale options. Pause: Temporarily stops the otherwise continuous scrolling of the display. Calculations will continue uninterrupted in the background. Scrolling will resume when you unclick the Pause button or when you close and re-open the History Statistics window.
294 History statistics
OmniPeek User Guide
Channel statistics
Channel statistics show a variety of statistics and counts for each channel of the WLAN band. When a supported wireless adapter is selected as the monitor adapter, Channel statistics are available for the entire network. When a supported wireless adapter is selected as the capture adapter, Channel statistics are available for a capture window. To view Channel statistics for the network:
Choose Monitor > Channel and select the Channels tab. Click the Channel Statistics button in the toolbar of the main program window. Select the Channels tab. Select Channels in the navigation pane of a capture window.
To view Channel statistics for a capture window:
The parts of the Channel statistics window are identified below. Note See Channel statistics columns on page 489 for a complete list and description of the columns available in the Channels view.
Channel statistics
295
Chapter 12: Displaying and Reporting Statistics Make Filter Graph Refresh Make Alarm
View
View: Display information by All, Packets, or Bytes. Refresh: (OmniPeek console only) Set display refresh interval. If interval is set to Manual, the display is updated only when you click Refresh button. Make Filter: Opens Insert Filter dialog. See Creating filters with the Make Filter

Graph: (OmniPeek console only) Opens the Graph Data Options dialog. See Chapter
14, Creating Graphs.

Make Alarm: (OmniPeek console only) Opens the Make Alarm dialog. See Chapter 15, Setting Alarms and Triggers.
296 Channel statistics
OmniPeek User Guide
Tip To save the channels statistics table to a tab-delimited text file, choose File > Save Channels Statistics, or right-click inside the Channel Statistics window and choose Save Channels
Statistics.
WLAN statistics
WLAN statistics displays an SSID (Service Set Identifier) tree view of wireless nodes. When a supported wireless adapter is selected as the monitor adapter, WLAN statistics are available for the entire network. When a supported wireless adapter is selected as the capture adapter, WLAN statistics are available for a capture window. To view WLAN statistics for the network:
Choose WLAN > Protocols. Click the WLAN Statistics button in the main program window toolbar. Select WLAN in the navigation pane of a capture window.
To view WLAN statistics for a capture window: The parts of the WLAN statistics window are identified below. Note See WLAN statistics columns on page 485 for a description of the columns available in WLAN statistics.
WLAN statistics
297
Chapter 12: Displaying and Reporting Statistics Channel View Selection Refresh Display Top Node Details Make Filter Node Type Insert Into Name Table Graph Make Alarm
Color Globe
Wireless Networks: Displays count of wireless networks found. Ad Hoc Networks: Displays count of Ad Hoc networks found. Access Points: Displays count of access points found. Clients: Displays count of clients found. Node Type: (OmniPeek console only) Lets you limit the display to selected nodes (All Nodes, Stations, Access Points, ESSID, Ad Hoc, Admin, Unknown, and Channels).
When the WLAN hierarchy view is broken out by channels, the root branches of the tree are channels numbers, with individual WLAN hierarchy views underneath it (ESSID, BSSID, nodes, etc).
298 WLAN statistics
OmniPeek User Guide
Channel View Selection: Opens the WLAN Channels dialog that allows you to select which channels to display. Refresh: (OmniPeek console only) Set display refresh interval. If interval set to Manual, display will update only when Refresh button is clicked. Display Top: (OmniPeek console only) Limit display to top 5, 10, 20, 50, or100 nodes
seen, as measured by traffic volume.

Node Details: Opens Detail Statistics window. See Viewing details for a network node
on page 283.
Make Filter: Opens Insert Filter dialog. See Creating filters with the Make Filter

Insert Into Name Table: Opens the Node Address dialog. See Adding entries to the
name table on page 364.

Graph: (OmniPeek console only) Opens the Graph Data Options dialog. See Chapter
14, Creating Graphs.

Make Alarm: (OmniPeek console only) Opens the Make Alarm dialog. See Chapter 15, Setting Alarms and Triggers. Color globes: Identifies the type of node by color:
Blue: ESSID Pink: AP (access point) or Ad Hoc equivalent Orange: STA or client Gray: Admin or otherwise unknown Gray with (?): Indications for a particular node are contradictory or unexpected.
Locate Node: (OmniPeek console only) Select the source (STA or AP) and choose Locate Node. If you are using OmniPeek on a laptop, you can use signal strength to
Right-click options: These options include
find a radio source. OmniPeek will create a live signal strength graph for this node in the Graphs view, then switch your display to that new graph automatically. The higher the signal strength, the closer you have moved to the source node.
Display Weak Associations: (OmniPeek console only) Right-click to toggle the
display of stations having only a weak association to any AP or Ad Hoc group.
When enabled, STAs with weak associations are shown under the AP to which they last sent a packet. When disabled, STAs with weak associations are added to the ESSID Unknown/ BSSID Unknown group.
WLAN statistics
299
Tip To save WLAN statistics to a tab-delimited text file, choose File > Save WLAN Statistics, or right-click inside the WLAN statistics window and choose Save WLAN Statistics.
Hierarchy of wireless nodes

The hierarchy of wireless nodes is displayed as follows:
ESSID (Extended Service Set Identifier): the name of a logical group of access points
BSSID (Basic Service Set Identifier): a single access point
STA (Station): a client associated to the particular access point
Each individual station (STA) is arranged under the BSSID of the access point (or equivalent) to which it most recently sent a packet. Stations which have never sent a packet cannot be assigned to an actual BSSID. Until they send a packet to an access point or to a member of an ad hoc group, these nodes are displayed under BSSID Unknown. Three classes of addresses show up in the ESSID Unknown/BSSID Unknown category:
Broadcast and multicast addresses, tagged as Admin in the Type column. Stations which have sent a Probe Request to a particular ESSID, but which have not associated with any known BSSID. Nodes which cannot be assigned to any BSSID or ESSID because of the hidden node problem (you can detect only one participant in a conversation, because the other is beyond your range).
Signal statistics
Signal statistics displays continuously updated graphs of wireless traffic signal strength. When a supported wireless adapter is selected as the monitor adapter, Signal statistics are available for the entire network. When a supported wireless adapter is selected as the capture adapter, Signal statistics are available for a capture window. To view Signal statistics for the network:
Choose Monitor > Channel and select the Signal tab. Click the Channel Statistics button in the toolbar of the main program window, and then select the Signal tab. Select Signal in the navigation pane of a capture window.
To view Signal statistics for a capture window:
The parts of the Signal statistics window are identified below. 300 Signal statistics
OmniPeek User Guide Pause Node Type Units Options Geiger Counter
Channels
Channels: Choose to show signals on all channels or show only the signals of access points detected on the channels advertised in AP beacon and probe response packets.
All: Shows the minimum, maximum, average, and most recent values for each
channel in the scan.

AP only: Shows the most recent value for each AP. Node Type: Limit the display to traffic between certain types of nodes (All Nodes, Client to AP, AP to Client, or AP to AP). Units: Choose the units of display. The % (percent) units show the RSSI (Receive Signal Strength Indicator), normalized to a percentage. The dBm units are expressed in decibel milliWatts.
Note If the current adapter does not support dBm reporting, the Signal view will show readings of zero when any choice including (dBm) is selected for the Units. Change the Units to percentage (%) for these adapters.
Signal statistics
301
Options: Opens the Signal Statistics Options dialog, where you can choose to Reset graph occasionally or to toggle the Legend in the Signal view on or off. Pause: Temporarily suspends the update of the display. Geiger Counter: Acts as toggle. When enabled, makes an audible click each time the user-specified number of packets is processed on the selected adapter. You can specify a click for each 1, 10, 100, or 1000 Packets.
Generating statistics output reports

A variety of statistics output reports can be generated from monitor statistics obtained for the entire network, or capture window statistics obtained for a specific capture window. Statistics output reports can be generated at periodic intervals, and saved as XML \ HTML files that can be viewed with a browser, or as text files that you can import into a spreadsheet or database program for further processing.
Statistics output reports from monitor statistics

To generate statistics output reports from monitor statistics: 1. Choose Monitor > Monitor Options. The Monitor Options dialog appears. 2. Select the adapter you wish to monitor. 3. Select the Statistics Output options in the navigation pane. 4. Configure the Statistics Output options:
Save statistics report every: Select this check box to enable saving statistics. Type or
select the frequency interval with which you want to update the statistics files, and then the units of time by selecting Minutes, Hours, or Days from the list.
Report type: Select the report type (a description of the selected report is displayed in the Report description box at the bottom of the dialog): Report folder: Type or browse to the folder where statistics output files are saved. Reset statistics after output: Select this option to reset the counts to zero after each
statistics report is saved.

Align save to time interval: Select this option to output a file at the nearest whole unit
of time by the clock. For example, if your interval is set to some number of hours, the output will occur on the hour. When this option is cleared, the count begins as soon as you click OK, and output occurs when the first interval is reached.
New file set: Select this option to write reports to new file folders, created at an intervals you specify in Set Schedule.
302 Generating statistics output reports
OmniPeek User Guide
Set Schedule: Click this button to open the New File Set Schedule dialog to specify intervals for your new file sets. Report description: Displays a description of the report type selected in Report Type
above.
Log output: Select this option to generate a message in the global log file each time
statistics output are generated. Log entries include the path name of the output folder.
Set Preferences: Click this button to open the Report Templates dialog. The Report Templates dialog lets you select the statistics that you want to include in your report.
5. Click OK. 6. Click Yes when prompted to open certain statistics window so the statistics output can be generated correctly. The statistics output reports are generated at the frequency intervals specified in Save statistics report every above.
Statistics output reports from capture window statistics

To generate statistics output reports from capture window statistics: 1. Start a capture to open a capture window. See Chapter 3, The Capture Window. 2. Choose Capture > Capture Options. The Capture Options dialog appears. 3. Select the Statistics Output options in the navigation pane. 4. Configure the Statistics Output options:
Save statistics report every: Select this check box to enable saving statistics. Type or
select the frequency interval with which you want to update the statistics files, and then the units of time by selecting Minutes, Hours, or Days from the list.
Report type: Select the report type (a description of the selected report is displayed in the Report description box at the bottom of the dialog): Report folder (OmniPeek captures only): Type or browse to the folder where statistics
output files are saved.

Reset statistics after output: Select this option to reset the counts to zero after each
statistics report is saved.

Align save to time interval: Select this option to output a file at the nearest whole unit
of time by the clock. For example, if your interval is set to some number of hours, the
Statistics output reports from capture window statistics
303
output will occur on the hour. When this option is cleared, the count begins as soon as you click OK, and output occurs when the first interval is reached.
Create new file set: Select this option to write reports to new file folders, created at an intervals you specify in Set Schedule. See New file set schedule on page 304. Set Schedule: Click this button to open the New File Set Schedule dialog to specify intervals for your new file sets. Report description: Displays a description of the report type selected in Report type
above.
Log output: Select this option to generate a message in the global log file each time
statistics output are generated. Log entries include the path name of the output folder. 5. Click OK. The statistics output reports are generated at the frequency intervals specified in Save statistics report every above.
New file set schedule

When Create new file set is selected in the Statistics Output options, a series of new file folders, one at a time, at the intervals you specify are created. Folder names have the form: FolderNameYYYY-MM-DD hh.mm.ss, where FolderName is the name you specified in
Report folder.
To create a schedule for a new file set: 1. Select New file set in the Statistics Output options. 2. Click the Set Schedule button. The New File Set Schedule dialog appears.
Every time: Select this option to create a new folder each time a new statistics report is generated. The timestamp of each folder will show the time at which each statistics report was created.
304 Generating statistics output reports
OmniPeek User Guide
On a schedule: Select this option to establish a schedule for the creation of new folders. Select a number and units of time. The timestamp on each file folder will show the time at which the folder itself was created. Statistics reports continue to overwrite one another in this folder until a new folder is created. Align to time interval: Select this option to have the creation of new folders occur on
the nearest whole unit of clock time.

Output and reset statistics before new file set: Select this option to output the next
scheduled statistics report, then reset statistics before each new folder is created.
Keep most recent _____ file sets: Select this option to keep only the specified
number of files, discarding older files and folders to make room for newer ones. Type or enter the number of file sets. 4. Click OK. The current setting for the New File Set Schedule dialog appears in the box immediately below the Set Schedule button.
Viewing statistics output reports

Statistics output reports are generated in the frequency interval specified in Statistics Output options. If you selected XML\HTML Report as your Report type, you can view the generated reports in an XSLT supported browser (for example, IE 6.0, Firefox 1.0.2, Mozilla 1.7.8, Netscape 8). Note Selecting XML\HTML Report as your Report type may affect capture performance. Selecting a PDF (default) report type is recommended for best performance. To view a statistics output report: 1. Navigate to the Report Folder location specified in Statistics Output options. Note On an OmniEngine, the Data folder configured in the General view of the OmniEngine Wizard is the Report folder location. See the OmniEngine documentation or OmniEngine Manager online help for details. 2. Double-click the report.htm file to open it in a browser. The report looks similar to the following:
Viewing statistics output reports
305
3. Click a tab and subheading to view the various statistics output reports.
306 Viewing statistics output reports
CHAPTER Using the Peer Map

In this chapter:
13
About the Peer Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 The Peer Map view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Peer Map options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Displaying relevant nodes and traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
307
Chapter 13: Using the Peer Map
About the Peer Map

The Peer Map view of a capture window lets you visualize network traffic, displaying the nodes around an elongated ellipse. Line weight shows the relative volume of traffic between nodes and line color the protocol in use between nodes. The nodes themselves can be colorcoded and displayed as icons, based on node type and Name Table data. The Peer Map tabs contain options to control the display of nodes and types of network traffic. This lets you quickly create a picture of all the traffic that is using a particular protocol. For example, you can show only the nodes sending or receiving multicast traffic.
The Peer Map view

To display a Peer Map:
From an open capture window, click the Peer Map view.

Peer Map Header
Peer Map Tabs
308 About the Peer Map
OmniPeek User Guide
Nodes and traffic in the Peer Map

Nodes and the traffic occurring between them are represented in the following ways in the Peer Map:
Each dot represents a particular node. When you hold the cursor over a node, the node is highlighted in yellow, and a graphical tooltip appears with more information about the node. See Displaying node tooltips on page 318. If you click on one or more nodes, the node is highlighted in orange and becomes the focused object in the Peer Map. Subsequent toolbar button or context menu key presses will apply to the focused node. The size of the dot represents the number of packets sent from that node, as a percentage of total packets in the window. The lines between nodes represent the traffic (or conversation) between them. When you hold the cursor over a line, the line is highlighted in yellow, and a graphical tooltip appears with more information about the traffic occurring between the two nodes. See Displaying node tooltips on page 318. If you click on a line, the line is highlighted in orange and becomes the focused object in the Peer Map. Subsequent toolbar button or context menu key presses will apply to the focused conversation line. The color of the line represents the protocol. This matches the protocol colors displayed for each protocol in the Protocols task pane of the Configuration tab. The thickness of the line represents the volume of the traffic. Specifically, the thickness of the line represents the volume in bytes of the traffic between two nodes, expressed as a percent of all the traffic in the buffer.
Tip You can drag one or more nodes and lines to other positions within the Peer Map to make it easier to view network traffic occurring with those nodes and lines. To move a node back to within the ellipse, right-click the node and select Arrange. To move all nodes back to within the ellipse, right-click an empty area of the Peer Map and select Arrange All Nodes.
Parts of the Peer Map

Peer Map header
Nodes: Displays the number of unique nodes in the Peer Map. Convs. (Conversations): Displays the number of conversations in the Peer Map. Protocols: Displays the number of unique protocols in the Peer Map.
Nodes and traffic in the Peer Map
309
Map Type: Lets you choose whether to display nodes as a Physical, IP, IPv6, Apple Talk,
DECnet, or an IPX Peer Map. Peer Map toolbar:
Options: Displays the Peer Map Options dialog that lets you control how various
items are displayed in the Peer Map. See Peer Map options on page 315.
Node Details: Displays the Detail Statistics dialog for the selected node. Conversation Details: Displays the Detail Statistics dialog for the selected
conversation.
Make Filter: Displays the Insert Filter dialog to create a filter based on the selected
node or conversation.
Insert Into Name Table: Displays the Edit Name dialog to create an entry into the name table based on the selected node. Resolve Names: Resolves the name of the node from the name table.
Peer Map tabs

Configuration: This tab sets the basic parameters of the Peer Map. See Configuration tab on
page 310.
Node Visibilities: This tab displays node counts, and nodes that are both shown and hidden in the Peer Map. See Node Visibilities tab on page 312. Profiles: This tab lets you create profiles and add a background image to the Peer Map. See
Profiles tab on page 314.
Configuration tab
The Configuration tab sets the basic parameters of the Peer Map. The Configuration tab task panes are described below.
310 The Peer Map view
OmniPeek User Guide
Node Visibility Criteria

The Nodes Visibility Criteria task pane lets you control what part of the traffic in the capture windows buffer is displayed in the Peer Map:
Maximum Nodes: Lets you limit the display to no more than the specified number of nodes, expressed as an Absolute number or as a Percent of all nodes included in the
buffer.
Traffic Types: Lets you choose the type of traffic to display. You can choose from any combination of Unicast, Multicast, or Broadcast traffic types. Node Ranking: Lets you choose whether you want the Maximum Nodes to represent the Highest or the Lowest values in the sample. Node Statistic: Lets you choose the units to use when evaluating the Maximum Nodes and Node Ranking criteria. You can choose from Total Packets or Total Bytes. Traffic Direction: Lets you choose whether to count the bytes or packets Sent, Received, or both Sent and Received. Summary: Displays a description of the current view.
Configuration tab
311
Note The nodes that do not meet your criteria are removed from the Peer Map and are listed in the Auto Hidden Nodes pane under the Node Visibilities tab.
Protocols
The Protocols task pane displays a list of protocols currently found in the Peer Map and allows you to control the display of the line segments between the various peers. The line segments represent traffic for a particular protocol. The toolbar lets you control what is displayed:
View: Select how you want the protocols displayed in the Protocols task pane (Flat, Hierarchical, or Condense). Enable All: Click to enable the display of all protocols. Disable All: Click to disable the display of all protocols. Toggle All: Click to toggle between Enable All and Disable All.
Each protocol has a color associated with it in ProtoSpecs. Both the entry in the Protocols pane and the traffic lines in the Peer Map use the same ProtoSpecs-assigned color to display each particular protocol. See ProtoSpecs on page 287.
Node Visibilities tab

The Node Visibilities tab displays node counts, and nodes that are both shown and hidden in the Peer Map. The Node Visibilities task panes are described below.
OmniPeek User Guide
Default Node Visibility

This task pane specifies the default node visibility to assign to nodes that do not have a userspecified visibility. For example, if this option is set to Always Hide, then all nodes that have not had their visibility assigned by the user will be hidden. This is useful if, during a live capture, the user doesnt want new nodes to appear on the Peer Map as they are discovered.
Node Counts
This task pane summarizes all of the nodes of the Peer Map into the following categories: Always Shown, Always Hidden, Auto Shown, Auto Hidden, and Total.
Always Shown Nodes

This task pane lists the nodes that are configured to always be shown and displayed in the Peer Map. Right-click a node in the task pane to display additional options for the selected node.
Always Hidden Nodes

This task pane lists the nodes that are configured to always be hidden and not displayed in the Peer Map. Right-click a node in the task pane to display additional options for the selected node.
Node Visibilities tab
313
Auto Hidden Nodes

This task pane lists the nodes that are currently hidden from the Peer Map. The settings in the Configuration tab determine which nodes appear in this task pane. Right-click a node in the task pane to display additional options for the selected node.
Profiles tab
The Profiles tab lets you create profiles and add a background image to the Peer Map.
Profiles
The Profiles task pane lets you save Peer Map configuration settings into a single profile that controls the appearance and layout of the Peer Map. The toolbar in the task pane allows you to save, edit, duplicate, delete, import, and export profiles. The settings that make up the profile include: Note Changes to a Peer Map profile are applied globally to all capture windows using that profile.
User-applied node visibilities (always shown, always hidden) Default node visibility User-arranged node locations Background image
To enable a profile: Select the check box of the desired profile
Background Image
The Background Image task pane lets you apply a background image to the Peer Map. This is useful if you want a more visual representation of the nodes in your Peer Map and your actual network. For example, if you have a graphic image of your network, you can add that image as
OmniPeek User Guide
a background image, and then arrange several key nodes that are experiencing the network problems over the background image to represent their real-world locations. Additionally, you can then hide all uninteresting nodes so that they dont clutter the arrangement. To add a background image: 1. Click Open in the task pane. The Open Image dialog appears. 2. Select the background image, and then click Open. The image is added to the Peer Map.
Peer Map options

The Peer Map Options dialog lets you control how various items are displayed in the Peer Map. You can choose to show or hide displayable icons, node visibilities, and protocol line segment gaps. To view the Peer Map options dialog:
Click the Options icon in the Peer Map toolbar. The following options are available:
Show type icons (server, workstation, etc.): Select this option to display the icon appropriate to that node type (such as Workstation, Router). Show visibility icons (thumbtack): Select this option to display a node visibility icon (a thumbtack) to indicate that a node visibility (Always Shown or Always Hidden) is assigned to a node. Show node tooltips: Select this option to display a tooltip when hovering over a node. Show gaps between protocol segments: Select this option to display gaps in line
segments to help distinguish that more than one protocol is in use between nodes.
Show ghost lines when all protocol segments are disabled: Select this option to display light gray, dashed lines in place of conversation lines when all of their protocol segments have been disabled. Show conversation tool tips: Select this option to display a tooltip when hovering over
a line.
Improve rendering speed by turning off anti-aliasing when displaying _______ or more conversations: Select this option to improve how fast the Peer Map is rendered.
Displaying relevant nodes and traffic

The packets currently in the buffer of the capture window are the source of what is displayed in the Peer Map. You have various right-click options to display only the most relevant nodes and traffic in the Peer Map.
Peer Map options
315
If you right-click a node in the Peer Map and Node Visibilities tab, the following options are available:
Arrange (Peer Map tab only): This option arranges the node back to within the ellipse of the Peer Map. Node Details: This option opens the Detailed Statistics dialog and shows details of the
selected node. Tip You can mouse over a node to display details of the node in a tooltip. See Displaying node tooltips on page 318.
Visibility: Displays options for showing and hiding nodes within the Peer Map. Showing
and hiding nodes in the Peer Map do not affect how nodes are displayed in other views of a capture window.
Always Show: This option will always display the node in the Peer Map. When you
select this option, a thumbtack icon is displayed with the node in the Peer Map to indicate a node visibility setting has been assigned, and the node is listed in the Always Shown Nodes task pane of the Node Visibilities tab.
Always Hide: This option will always hide the node in the Peer Map. When you select this option, the node is removed from the Peer Map and listed in the Always Hidden Nodes task pane of the Node Visibilities tab. Auto: This option reverts any Always Shown or Always Hidden nodes back to their
original status.
Peers: Displays options for showing or hiding nodes that are peers to the selected
nodes.
Always Show: This option will always display nodes that are peers in the Peer
Map. When you select this option, a thumbtack icon is displayed with the node in the Peer Map to indicate a node visibility setting has been assigned, and the node is listed in the Always Shown Nodes task pane of the Node Visibilities tab.
Always Hide: This option will always hide nodes that are peers in the Peer Map. When you select this option, the node is added is removed from the Peer Map and the node is listed in the Always Hidden Nodes task pane of the Node Visibilities tab. Auto: This option reverts any Always Shown or Always Hidden nodes back to
their original status.

Non-Peers: Displays options for showing or hiding nodes that are not peers to the selected nodes.
316 Displaying relevant nodes and traffic
OmniPeek User Guide
Always Show: This option will always display nodes that are not peers in the Peer
Map. When you select this option, a thumbtack icon is displayed with the node in the Peer Map to indicate a node visibility setting has been assigned, and the node is listed in the Always Shown Nodes task pane of the Node Visibilities tab.
Always Hide: This option will always hide nodes that are not peers in the Peer Map. When you select this option, the node is added is removed from the Peer Map and the node is listed in the Always Hidden Nodes task pane of the Node Visibilities tab. Auto: This option reverts any Always Shown or Always Hidden nodes back to
their original status.

Select Related Packets: Displays options for showing or hiding nodes that are related to
the selected packets by the source or destination IP address.
By Source: This option displays nodes that are related to the selected node by source IP address. You will have the option to Hide selected packets, Hide unselected packets, or Copy selected packets to new window. By Destination: This option displays nodes that are related to the selected node by destination IP address. You will have the option to Hide selected packets, Hide unselected packets, or Copy selected packets to new window. By Source or Destination: This option displays nodes that are related to the selected node by both source and destination IP address. You will have the option to Hide selected packets, Hide unselected packets, or Copy selected packets to new window.
Important! Unlike the tools for hiding and unhiding nodes in the Peer Map, selection results are shown in the Packets view, as with any other Select Related Packets operation.
Make Filter: This option opens the Insert Filter dialog and lets you create a filter based on the selected node. Insert into Name Table: This option opens the Insert Name or Edit Name dialog with the
characteristics of the selected node already entered.

Resolve Names: Select this option if name resolution services are available. For more about names, see Chapter 17, Using the Name Table.
If you right-click a conversation in the Peer Map, the following options are available:
Conversation Details: This option opens the Detailed Statistics dialog and shows details
of the selected conversation.

Select Related Packets: Displays the option for showing or hiding nodes that are related
to the selected conversation by the source and destination IP address.

Displaying relevant nodes and traffic
317
By Source or Destination: This option displays nodes that are related to the selected
conversation by both source and destination IP address. You will have the option to
Hide selected packets, Hide unselected packets, or Copy selected packets to new window.
Important! Unlike the tools for hiding and unhiding nodes in the Peer Map, selection results are shown in the Packets view, as with any other Select Related Packets operation.
Make Filter: This option opens the Insert Filter dialog and lets you create a filter based on the selected conversation.
If you right-click anything other than a node or conversation, the following options are available:
Arrange All Nodes: This option arranges nodes back to within the ellipse of the Peer Map. Resolve All Names: This option renames nodes according to the name table. Copy to Clipboard: This option copies the Peer Map image to the clipboard.
Tip You can drag one or more nodes to other positions within the Peer Map to make it easier to view network traffic occurring with those nodes. To move a node back to within the ellipse, right-click the node and select Arrange. To move all nodes back to within the ellipse, rightclick an empty area of the Peer Map and select Arrange All Nodes.
Displaying node tooltips

When you move your cursor over a node or line in the Peer Map, or node in the Node Visibilities tab, a tooltip appears displaying tabular and graphical information about the node or line:
OmniPeek User Guide
Line Tooltip
Node Tooltip
Displaying node tooltips
319
CHAPTER Creating Graphs

In this chapter:
14
About graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 OmniPeek monitor statistics graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 OmniPeek capture statistics graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 OmniEngine statistics graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 OmniEngine graph templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Configuring and saving graphs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
321
Chapter 14: Creating Graphs
About graphs
In addition to the standard statistical displays, OmniPeek and OmniEngine offer speed, power, and flexibility in the display of individual statistical items or groups of statistics in userdefined graphs. Statistics graphing functions for the OmniEngine captures also allow you to create and manage graph templates, which can be used by any OmniEngine capture window on that OmniEngine. See OmniEngine graph templates on page 333. The following sections describe the tools for graphing statistics from OmniPeek and OmniEngine.
OmniPeek monitor statistics graphs

Statistics from OmniPeek monitor window displays of Node, Protocol, Summary, WLAN, and Channel Statistics can be displayed graphically in real time. To create a real-time graph of an OmniPeek monitor statistics window: 1. Select the item in a monitor statistics window and choose one of the following:
Click the Graph button in the toolbar. Right-click and select Graph.
The Graph Data Options dialog appears.
2. Fill in the Graph Data Options dialog.
322 About graphs
OmniPeek User Guide
Note Click the Help button to learn about the available options and settings. 3. Click OK to create the new graph and to begin displaying data.
Line Line/Points Options Area Bar Pause
The parts of a monitor statistics graph are identified below.
Bar: Click this button to change the display to a bar graph. Area: Click this button to change the display to an area graph. Line: Click this button to change the display to a line graph. Line/Points: Click this button to change the display to a line graph with points. Options: Click this button to open the Graph Display Options dialog, where you can
set more configuration options. See Graph display options on page 338.
OmniPeek monitor statistics graphs
323
Pause: Click this button to temporarily suspend scrolling and view data which has scrolled off-screen to the left. monitor statistics graphs scroll each time data is refreshed so the most recent data appears at the far right of the screen.
Note The scroll bar represents the position within a window of the size you set in the Duration parameter. For example, if you set a duration of one hour and have been graphing statistics for only ten minutes, only the right-most portion of the scroll bar will show any graphed data.
OmniPeek capture statistics graphs

You can graph any statistics item calculated in the Nodes, Protocols, Summary, WLAN, or Channels views of a capture window in either of two ways:
Create a new statistics Graph window showing just the selected statistic. Create or add a statistic to a graph already displayed in the Graphs view of a capture window or file.
The main distinction between the two types of graphs is in their formatting options and the ability to save and retrieve these formats. To create a graph of a statistics item in a capture window, follow these steps: 1. Highlight the item and choose one of the following:
Click the Graph button in the toolbar. Right-click and choose Graph.
The Graph Data Options dialog appears.
324 OmniPeek capture statistics graphs
OmniPeek User Guide
Options unique to capture statistics graphs
2. Fill in the Graph Data Options dialog. Note Click the Help button to learn about the available options and settings. 3. Choose one of the following:
Display graph in new window: This option offers the same formatting and data saving
options as a graph created for a single monitor statistics item. See OmniPeek monitor statistics graphs on page 322.
Display graph in Graphs view: This option lets you add the new graph to those already listed in the Graphs view of the capture window. See OmniPeek capture window graphs on page 326.
Add to existing graph: This option lets you add the selected statistics item to one of the graphs that already exists in the Graphs view. See OmniPeek capture
window graphs on page 326. 4. Click OK to accept your changes. 5. Select the name of the graph from the list at left. The graph will be displayed on the right. Note When you choose to Display graph in Graphs view, the Save graph data section of the Graph Data Options dialog becomes grayed out. This is because the graphs in the Graphs view are part of the capture window and this data is saved using File > Save Report. You can also use
OmniPeek capture statistics graphs
325
the Statistics Output view of the Capture Options dialog to configure the periodic output of statistics from graphs. For details, see Generating statistics output reports on page 302.
OmniPeek capture window graphs

The Graphs view allows great flexibility in the display of statistics. You can add to, delete, rearrange, create, edit, export, and import graphs of a wide range of formats, each based on single or multiple statistics from the current capture window. Select any title from the list to display that graph in the right pane. The parts of the OmniPeek Graphs view are identified below.
Insert: Opens the New Graph: Pick a Statistic dialog. Click OK to add the new graph to the Graphs view. Edit: Opens the Graph Display Options dialog for the selected graph. See Graph display
options on page 338.

Duplicate: Creates a copy of the selected graph and adds it to the list.
326 OmniPeek capture statistics graphs
OmniPeek User Guide
Delete: Deletes the selected graph. Import: When you click Import, the program first asks if you would like to delete all graphs before importing? If you choose Yes, all the graphs currently shown in the Graphs view will be deleted and replaced by the contents of the imported *.gph file. If you choose No, the graphs you import will be added to the current list. Use the file Open dialog to navigate to the location of the *.gph file you wish to import, and click OK. Export: You can export the entire contents of the Graphs view to a *.gph file, which is a set
of parameters for defining all the graphs currently in the Graphs view. This allows you to create and maintain groups of graphs for particular troubleshooting tasks, or for particular environments.
Bar: Click this button to change the display to a bar graph. Area: Click this button to change the display to an area graph. Line: Click this button to change the display to a line graph. Line/Points: Click this button to change the display to a line graph with points. Pie: Click this button to change the display to a pie graph. Options: Click this button to open the Graph Display Options dialog, where you can set
more configuration options. See Graph display options on page 338.

Pause: Click this button to temporarily suspend scrolling and view data which has scrolled off-screen to the left. Statistics graphs scroll each time data is refreshed so the most recent data appears at the far right of the screen.
The scroll bar represents the position within a window of the size you set in the Duration parameter. For example, if you set a duration of one hour and have been graphing statistics for only ten minutes, only the right-most portion of the scroll bar will show any graphed data. Tip You can restore the default Graphs view by importing the Default Graph.gph file, located in the 1033\Graphs directory.
OmniEngine statistics graphs

The graphs function on an OmniEngine lets you create customized graphs of user-defined statistics from the Nodes, Protocols, WLAN, and Summary statistics views of OmniEngine capture windows.
OmniEngine statistics graphs
327
The Graphs tab of the OmniEngines window also allows you to create and manage graph templates, which can be used by any OmniEngine capture on that particular OmniEngine. See OmniEngine graph templates on page 333. To view graphs in an OmniEngine capture window: 1. Start a capture from the Home tab or Capture tab of a connected OmniEngine. See Creating an OmniEngine capture window on page 31. 2. Select Enable graphs in the Graphs options of the OmniEngine Capture Options dialog. See OmniEngine graphs capture options on page 329. 3. Click OK. A new OmniEngine capture window appears. 4. Click the Start Capture button and then the Graphs view of the OmniEngine capture window. See OmniEngine capture window graphs on page 330. 5. Select the graphs you wish to display in the OmniEngine capture window. The example below displays the graphs for ARP analysis and Expert events.
328 OmniEngine statistics graphs
OmniPeek User Guide
Tip Right-click in the graph area to choose from a Gallery of graph displays.
OmniEngine graphs tab

Select the Graphs tab for a connected OmniEngine in the OmniEngines window. (See Connecting to an OmniEngine on page 14.) A list of pre-defined and created graphs is displayed. The parts of the OmniEngine Graphs tab are identified below.
Delete Insert Edit Refresh
Pre-defined graphs
Insert: Opens the Create Graph Template dialog. See Creating a new OmniEngine graph template on page 333. Edit: Opens the Edit Graph Template dialog. See Editing an OmniEngine graph template on page 337. Delete: Deletes selected graph. Refresh: Refreshes list of graphs at user-defined intervals.
OmniEngine graphs capture options

The Graphs options of the OmniEngine Capture Options dialog lets you manage the graphing capabilities for individual OmniEngine captures.
OmniEngine graphs tab
329
The parts of the Graphs options of the OmniEngine Capture Options dialog are identified below.
Enable Graphs: Select this check box in order to have the Graphs view appear in the OmniEngine capture window. Interval: Choose the sampling interval for all statistics used for graph creation in the current OmniEngine capture window. Enter a value and choose the units.
For any statistics item normally expressed per unit of time, the graphing function creates an average value over the sampling interval you choose.
Keep most recenthours: Choose number of hours for statistics collection.
Files are created on the hour. One folder per capture is created, with one *.sts file per hour of preserved graph data. There is an added *.sts file for the data from the current hour. For example, if your Keep most recent setting is eight hours, then there will be nine *.sts files.
Select Graph Templates: This section shows all currently defined graph templates and provides tools for creating and managing them. (See OmniEngine graphs tab on page 329 for details on creating graph templates.)
Select one or more graph template(s) to add them to the Graphs view of the new OmniEngine capture window.
OmniPeek User Guide
OmniEngine capture window graphs

The Graphs view of an OmniEngine capture window can show multiple graphs, each one of which can show one or more statistics items from any combination of the following views: Nodes, Protocols, WLAN, and Summary statistics. A graph enabled in the Graphs list is shown in the right pane. When multiple graphs are enabled, they are stacked vertically. All graphs share the same horizontal time axis. The parts of the OmniEngine Graphs view are identified below.
Zoom out Zoom in Pause Graph list Display duration First Previous Next Last
Graph list Delete Insert
OmniEngine capture window graphs
331
Insert: Click to add an existing graph template to the Graphs list by opening the Graph Templates dialog. Delete: Click to remove selected graph template(s) from the Graphs list. (The deleted graph template will be restored to the list in the Graph Templates dialog.) Graph list: Click to toggle the display of the Graphs list. Pause: Click to toggle the update of all graphs, preventing them from automatically scrolling to the right at each new sampling interval. Zoom in: Click to enlarge the size of the display. Zoom out: Click to reduce the size of the display. Display duration: Use the drop-down list beside to select the time window (left-right
expanse) displayed for all graphs. A shorter interval has the effect of zooming in, a longer interval, of zooming out.
First, Previous, Next, Last: Use these buttons to scroll through the graphs when the Pause
button is clicked (active).

Gallery: Select alternative graph displays Options: Opens the Graphs Display Options dialog. See Graph display options on
page 338.
Legend: Toggles display of the graph legend. Copy: Copies the graph image to the clipboard. Print: Opens the Print dialog for printing the graph.
To add an existing graph template to the Graphs list: 1. Click Insert. The Graph Templates dialog appears.
OmniPeek User Guide Delete Edit Insert
Refresh
2. Select the check box beside any graph template you wish to add to the Graphs list of the OmniEngine capture window. 3. Click OK. To create a new graph template, choose one of the following:
Click the Insert button in the Graph Templates dialog. Select statistics items directly in the Nodes, Protocols, or Summary views of OmniEngine capture windows and click the Graph button in the toolbar.
The Create Graph Template dialog appears. For a details, see OmniEngine graph templates on page 333. Tip To open a window that shows only the Graphs view of an OmniEngine capture window, right-click its listing in the Captures view of the OmniEngines window and choose Graphs. This allows you to monitor and manage the Graphs view of the OmniEngine capture window using minimal bandwidth and processing power.
OmniEngine graph templates

You can create, edit, and manage graph templates in the Graphs tabs of the OmniEngines window, the OmniEngine Capture Options dialog, and any OmniEngine capture window.
OmniEngine graph templates
333
Note Changes to the graph templates stored on an OmniEngine take effect immediately. Unlike other functions, no separate steps are required to send changes to the OmniEngine.
Creating a new OmniEngine graph template

To create a new OmniEngine graph template: 1. Click the Insert button in the Graphs tab of the OmniEngines window. The Create Graph Template dialog appears.
2. Fill in the following fields:
Enter a Name for the new graph template. You may enter a Comment to further describe the graph template. Choose the Units (Bytes or Packets). The same units must be used for all parameters in a single graph template.
3. Click the Insert button. The Select Graph Items dialog appears. Alternatively, you can use the list beside the Insert button to open the dialog to a particular tab by choosing Protocols, Nodes, or Summary from the drop-down list. 4. Make your changes on one or more of these tabs. (See instructions for each tab below.) 5. Use the Delete button in the Graph Items list to delete selected statistics items. 6. Click OK to create the new remote graph template and add it to the list in the Graphs tab of the OmniEngines window.
334 OmniEngine graph templates
OmniPeek User Guide
To add a protocol statistics item to the graph template: 1. Open the Protocols tab of the Select Graph Items dialog.
2. Click the Insert button to open the Protocol Filter window. 3. Select one of the following methods of defining the protocol by choosing from the dropdown list:
Generic ProtoSpec is a flat tab of all available ProtoSpec definitions. Specific ProtoSpec shows all protocols nested under their physical layer. For more information on these methods of defining protocols, see ProtoSpecs on page 287.
Tip Click the Description button to present a brief description of any protocol selected in either type of ProtoSpec listing. 4. Select a protocol under your preferred method. 5. Click OK to add it to the list and close the Protocol Filter window. The protocol item you selected will appear in the list in the Protocols tab of the Select
Graph Items dialog.
6. Add other protocol items by repeating these steps, or add other types of statistics by opening other tabs of the Select Graph Items dialog. 7. Click OK to return to the Create Graph Template dialog.
Creating a new OmniEngine graph template
335
To add a node statistics item to the graph template: 1. Open the Nodes tab of the Select Graph Items dialog.
2. Enter the Address of the node using a format and notation appropriate to the address Type selected below. Alternatively, you can click the arrow to the right of the Address text entry box and choose:
Name Table: Lets you choose an address from the Name Table resident on the local
copy of OmniPeek.
Resolve: Attempts to resolve the IP hostname entered in the Address field by
querying DNS services from the OmniPeek computer. 3. Choose a Type of address from the drop-down list. 4. Choose the Units for all statistics items by selecting from the drop-down list. 5. Click the Insert button to add the node just defined to the list in this graph template. 6. Add other nodes by repeating these steps or add other types of statistics by opening other tabs of the Select Graph Items dialog. 7. Click OK to return to the Create Graph Template dialog. To add a summary statistics item to the graph template: 1. Open the Summary tab of the Select Graph Items dialog.
336 OmniEngine graph templates
OmniPeek User Guide
2. Select a statistics item in the Available Statistics pane at the top of the tab. Right-click to Expand All or Collapse All items in the nested view of available Summary Statistics items. 3. Click the Insert button to add the selected statistics item to the table. (The Insert button is grayed out when you select an unsupported item.) 4. Select an item in the table and click the Delete button to remove the item from the table, or click Delete All to clear the entire table. 5. Add other Summary statistics items by repeating these steps, or add other types of statistics by opening other tabs of the Select Graph Items dialog. 6. Click OK to return to the Create Graph Template dialog.
Editing an OmniEngine graph template

To edit an existing OmniEngine graph template: 1. Select the graph you wish to edit in the Graphs tab of the OmniEngines window. The Edit Graph Template dialog appears with existing name, comment, units, and graph items filled in. 2. Make changes to these fields following the instructions for creating OmniEngine graph templates. See Creating a new OmniEngine graph template on page 333.
Editing an OmniEngine graph template
337
Configuring and saving graphs

You can control the appearance of graphs in the Graphs Display Options dialog and save graphs in several formats.
Graph display options

The Graph Display Options dialog lets you control how a graph is displayed. The dialog has up to five tabs, depending on the statistical context and whether it is a free-standing window or it is displayed in the Graphs view of a capture window or file. To open the Graph Display Options dialog in OmniPeek:
Click the Options button in the toolbar of a Graphs window. The Graph Display Options dialog appears.
To open the Graph Display Options dialog in OmniEngine: 1. Right-click in the graphs area of an OmniEngine capture window. 2. Choose Options. The Graph Display Options dialog appears.
Type: This tab lets you choose the type graph to display. The choice of graph types is context sensitive, and only those choices applicable to the graph being modified are available. Color: This tab lets you control the color of display elements. Click in the color swatches
to choose from the palette.

Scale: This tab controls the scale used for the Y-axis (vertical scale) of the graph. Misc.: This tab allows you to configure additional settings for your graph.
338 Configuring and saving graphs
OmniPeek User Guide
Statistics: This tab presents a list of each statistics item displayed in the current graph. The drop-down list at the bottom of the tab presents alternative choices for the Units used to measure the selected statistics item.
Note Click the Help button on the dialog to learn more about the available options and settings.
To add or delete items from the Statistics tab: 1. Use the buttons to Insert or Delete a statistics item, or to move the selected item Up or Down in the display. 2. Click the Insert button to open the Add Statistic dialog.
The Add Statistic dialog presents a scrollable hierarchical list of all statistics in the Summary view and a drop-down list for choosing the appropriate Units of display for the highlighted statistics item. 339
Graph display options
3. Click OK to return to the Graphs Display Options dialog.
Saving OmniPeek graphs

You can choose to save either the graph data or the current image of the OmniPeek graph itself. When an OmniPeek Graph window is the active window, you can choose File > Save Graph to open a standard Save As dialog from which you can save either the graph data or the current image of the Graph window itself. Note For packet size and history statistics graphs, choose File > Save Size Statistics or File > Save History Statistics. To save the OmniPeek graph data or image: 1. Choose File > Save Graph. 2. Give the file a name. 3. Choose one of the following from the Save file format list:
Text (tab delimited)(*.txt) CSV (comma delimited)(*.csv) XML (*.xml) Bitmap image (*.bmp) PNG image (*.png) PDF document (*.pdf)
Saving OmniEngine graphs

To save graph images in OmniEngine, right-click in the graph display and choose Copy. Navigate to a program in which you can paste the graph image.
340 Configuring and saving graphs
CHAPTER Setting Alarms and Triggers

In this chapter:
15
About alarms and triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Viewing alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Creating and editing alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Setting triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
341
Chapter 15: Setting Alarms and Triggers
About alarms and triggers

Setting alarms and triggers can help you uncover many hard-to-find network problems. OmniPeek alarms query a specified monitor statistics function once per second, testing for user-specified problem and resolution conditions. On matching any of these tests, the alarm function sends a notification of user-specified severity. Note OmniEngine alarms query a specified parameter in the Summary statistics view of an OmniEngine capture window. See Creating and editing OmniEngine alarms on page 349 and OmniEngine alarm windows on page 344. Triggers are used to start or stop capture in a capture window at a specified time or network event. They are very useful for pinpointing the origins of intermittent network problems. For example, you can set a start trigger so that capture begins when a problem occurs. Conversely, you can stop capturing when the problem occurs so that you can see exactly what happened just prior to the observed symptom. Alternatively, if you know that problems occur at a particular time, you can set a time event to begin capturing packets during that time. Start and stop triggers can help you uncover many hard-to-find network problems. See Setting triggers on page 350.
Viewing alarms
The program ships with predefined alarms. These will be listed along with alarms that have been created or modified.
Predefined alarms
Two sets of ready-made alarms are included with the program for your convenience, located in the 1033\Alarms directory (default alarms.alm and additional alarms.alm). These alarms cover the most frequently encountered network problem conditions. You can load these or any other saved set of alarms using the Import button in the Alarms window.
OmniPeek alarms
OmniPeek console alarms can be created for items in the Node, Protocol, Summary, Channel, and WLAN monitor statistics windows. You can also create an alarm from the analogous views of a capture window, or from any open statistics Graph window. Unlike triggers, filters and Analysis Modules, alarms do not query all incoming packets directly. Instead, alarms query statistics functions, looking for the occurrence of the statistical
342 About alarms and triggers
OmniPeek User Guide
values and their persistence over a specified length of time. This allows multiple alarms to be set without adding packet processing overhead, thus speeding program performance. Important! The Monitor statistics option under the Monitor menu must be enabled in order for alarms to work. Additionally, the monitor adapter must be selected for Monitor statistics to be enabled. The Alarms window contains all the alarms available in the program. This includes predefined alarms as well as any you have created or modified. You can enable, disable, duplicate, modify or delete them, or create a real-time graph of the Monitor statistics parameters they are monitoring. To view all the Alarms window:
Choose View > Alarms. The Alarms window appears.
The parts of the Alarms window are identified below.

Export Import Delete Duplicate Edit Enable All Disable All Graph
Triggered conditions in red Notifications sent
Notification column: Displays an icon representing the severity of any notification sent by an alarm that is in a triggered state. Enabled: Shows a check mark if the alarm is enabled. Select the check box to enable or uncheck to disable individual alarms. When an alarm is disabled it is shown in grey.
OmniPeek alarms
343
Suspect Condition: Shows a shorthand version of the statistics measurements required to trigger this part of the alarm. This value is set in the Make Alarm dialog. Alarm conditions which have been triggered are shown in red. Problem Condition: Like the Suspect Condition column, shows a shorthand version of the statistics measurements required to trigger this part of the alarm. This value is set in the Make Alarm. Alarm conditions which have been triggered are shown in red. Alarm: Shows the name of the alarm, which by default is the name of the statistic to be monitored. This value is set in the Make Alarm dialog.
Tip Double-click an alarm to open the Edit Alarm dialog with that alarms properties ready to edit.
Edit: Opens the Edit Alarm dialog with the selected alarms properties ready to edit. Duplicate: Click to make a copy of the highlighted alarm. Delete: Click to delete the highlighted alarm. Import: Click to reload an .alm file to the Alarms window. When you load an alarms file,
you can choose whether to add to the existing list or replace it with the contents of the new file.
Export: Click to save the whole contents of the Alarms window to an .alm file. Enable All: Click to select all alarms in window. Disable All: Click to disable all alarms at once in window. Graph: Click to create a graph showing the current values for the statistics being
monitored by any alarm. Graphs created from an alarm will show a red line indicating the value set as the alarms Problem Condition and an orange line for its Suspect Condition. Tip Button functions are also available from a context menu by right-clicking on any alarm.
OmniEngine alarm windows

OmniEngine alarms can be created, edited, and managed in the following windows:
OmniEngine alarms tab OmniEngine capture options OmniEngine capture window alarms
344 Viewing alarms
OmniPeek User Guide
OmniEngine alarms tab

The Alarms tab of an OmniEngine shows a list of all the alarms available on that OmniEngine. The parts of the OmniEngines window Alarms tab are identified below.
Delete Duplicate Edit Refresh
Edit: Click to open the Edit Alarm dialog with the selected alarms properties ready to edit. Duplicate: Click to make a copy of a selected alarm. Delete: Click to delete a selected alarm. Refresh: Click to update the current view with the latest information stored on an
OmniEngine.
Alarm: Shows the name of the alarm, which by default is the name of the statistic to be monitored. This value is set in the Make Alarm dialog. Suspect Condition: Shows a shorthand version of the statistics measurements required to trigger this part of the alarm. This value is set in the Make Alarm dialog. Alarm conditions which have been triggered are shown in red. Problem Condition: Like the Suspect Condition column, shows a shorthand version of the statistics measurements required to trigger this part of the alarm. This value is set in the Make Alarm. Alarm conditions which have been triggered are shown in red.
345
Created: Lists the date and time alarm was created. Modified: Lists the date and time alarm was modified.
OmniEngine capture options

The Alarms options of the OmniEngine Capture Options dialog allows you to selectively enable or disable individual alarms for a particular OmniEngine capture window. From these options, you can also manage existing alarms (Edit, Duplicate, or Delete the selected alarm).
Check the check box at the left of any listed alarm to enable it. You can click the Disable All icon in the header to uncheck all alarms. Note Click the Help button to learn about the available options and settings.
OmniEngine capture window alarms

The Alarms view of an OmniEngine capture window allows you to see the current state of the alarms enabled for this capture window. You can also enable or disable individual alarms for this capture window. The parts of the Alarms view are identified below.
346 Viewing alarms
OmniPeek User Guide Duplicate Delete Disable All Edit Refresh
Click here to send changes
Notification column
Triggered conditions shown in red
Edit: Click to open the Edit Alarm dialog with the selected alarms properties ready to edit. You can also double-click an alarm to open the Edit Alarm dialog with that alarms
properties ready to edit.
Duplicate: Click to make a copy of a selected alarm. Delete: Click to delete a selected alarm. Disable All: Click to disable all alarms at once in window. Refresh: Click to update the current view with the latest information stored on an
OmniEngine.
Click here to send changes: Click to send changes to the OmniEngine. Changes to the Make Alarm dialog will not take effect on the OmniEngine until this is clicked. Notification column: Displays an icon representing the severity of any notification sent by an alarm that is in a triggered state. Enabled: Shows a check mark if the alarm is enabled. Select the check box to enable or uncheck to disable individual alarms. When an alarm is disabled it is shown in grey.
347
Suspect Condition: Shows a shorthand version of the statistics measurements required to trigger this part of the alarm. This value is set in the Make Alarm dialog. Alarm conditions which have been triggered are shown in red. Problem Condition: Like the Suspect Condition column, shows a shorthand version of the statistics measurements required to trigger this part of the alarm. This value is set in the Make Alarm. Alarm conditions which have been triggered are shown in red. Alarm: Shows the name of the alarm, which by default is the name of the statistic to be monitored. This value is set in the Make Alarm dialog. Created: Lists the date and time alarm was created. Modified: Lists the date and time alarm was modified.
Tip You can change alarm settings while remote capture is under way. Select the remote capture in the OmniEngine Capture tab and open the Capture Options dialog. You must click Click here to send changes to the OmniEngine to set the alarm in the OmniEngine capture window.
Creating and editing alarms

To create a new alarm: 1. Open one of the statistics windows, statistics views, or statistics graphs offering the Make Alarm function. 2. Select the item to be monitored. 3. Click the Alarms button at the top of the window, or right-click the item and choose Make Alarm. The Make Alarm dialog appears.
348 Creating and editing alarms
OmniPeek User Guide
4. Fill in the parameters for the alarm and the severity of the notification to be sent when conditions are met. Note Click the Help button in this dialog to learn about the available options and settings. For more about notifications, see Chapter 16, Sending Notifications.
Tip A single alarm can test for two distinct levels: Suspect Condition and Problem Condition. Both sets of conditions share the same Resolve Condition. This allows you to create a yellow alert / red alert / stand down for the same statistics parameter in a single alarm. Alternatively, you can specify only the Suspect Condition or only the Problem Condition for an alarm. 5. Click OK to create and enable the alarm.
Creating and editing OmniEngine alarms

Remote alarms watch a value in the Summary statistics view of an individual OmniEngine capture window. To create a new remote alarm: 1. Open the Summary, Nodes, or Protocols view of an OmniEngine capture window. 2. Select the item to be monitored. 3. Click the Make Alarm icon in the header, or right-click the item and choose Make Alarm. The Make Alarm dialog appears.
Creating and editing OmniEngine alarms
349
4. Fill in the parameters for the alarm and the severity of the notification to be sent when conditions are met. Note Click the Help button to learn about the available options and settings. For more about notifications, see Chapter 16, Sending Notifications.
Tip A single alarm can test for two distinct levels: Suspect Condition and Problem Condition. Both sets of conditions share the same Resolve Condition. This allows you to create a yellow alert / red alert / stand down for the same statistics parameter in a single alarm. Alternatively, you can specify only the Suspect Condition or only the Problem Condition for an alarm. 5. Click OK to create the alarm. The alarm is automatically added to all lists of that OmniEngine. Tip Tripped alarms will display an icon in the Captures view of the OmniEngines window, matching the severity of the alarm state (suspect, problem, resolve).
Setting triggers
Triggers are used to start or stop capture in a capture window at a specified time or network event. They are very useful for pinpointing the origins of intermittent network problems. For example, you can set a start trigger so that capture begins when a problem occurs. Conversely, you can stop capturing when the problem occurs so that you can see exactly what happened just prior to the observed symptom. Alternatively, if you know that problems occur at a particular time, you can set a time event to begin capturing packets during that time. Start and stop triggers can help you uncover many hard-to-find network problems. You can create a start trigger, a stop trigger, or both a start and stop trigger for each capture window that you have open. Note To set triggers on an OmniEngine capture window, see Setting start and stop triggers on an OmniEngine on page 352. To set start and stop triggers: 1. Choose Capture > Capture Options. The Capture Options dialog appears. 2. Select the Triggers options.
350 Setting triggers
OmniPeek User Guide
3. Select the Start trigger check box to enable a start trigger.
Click the Trigger Event button to configure the event that will start the capture. You can set one or both of the following types of trigger events:
Time trigger events: Capture starts when a user-specified time occurs. If you select a time trigger, you can also specify a date to use as well. Filter trigger events: Capture starts when the selected filter event(s) occurs.
Note When both a time and filter trigger event option is selected, capture starts when either of the trigger events occur. To filter packets, make sure you also have filters set up in the capture options.
Notify: Select this option to send a notification of the selected severity when the start trigger is activated. Start capture: Select this option to start a capture when the start trigger is activated.
4. Select the Stop trigger check box to enable a stop trigger. Note If you do not select the Stop trigger check box, packet capturing started by a start trigger continues indefinitely until it is aborted manually by the user.
Click the Trigger Event button to configure the event that will stop (or abort) the capture. You can set one or both of the following types of trigger events:
Setting triggers
351
Time trigger events: Capture stops when a user-specified time occurs. If you select a time trigger, you can also specify either a specific time, elapsed time, or date. Filter trigger events: Capture stops when the selected filter event(s) occurs. Bytes captured: Capture stops when the specified number of bytes are allowed to pass through the capture buffer.
Notify: Select this option to send a notification of the selected severity when the stop trigger is activated. Stop capture: Select this option to stop a capture when the stop trigger is activated.
5. Select the Repeat mode check box if you want to reset the start trigger each time the stop trigger is activated. This option is only available when both the Start trigger and Stop trigger check boxes are selected. Note Repeat mode allows you to capture multiple occurrences of the same event(s) with a single capture window. 6. Click OK to close the Capture Options dialog and return to the capture window. If a start trigger was defined, the Start Capture button in the capture window turns into the Start Trigger button (if no start trigger was defined, the Start Capture button does not change). Tip The status bar at the bottom left of the capture window provides information about the current state of the capture window. 7. Click the Start Trigger button to turn on the triggers. The Start Trigger button turns into the Abort Trigger button. Important! The actual capturing of packets does not begin until the start trigger event defined above above occurs. Once packet capture begins, the Abort Trigger button turns into the Stop Capture button.
Setting start and stop triggers on an OmniEngine

You can create a start trigger, a stop trigger, or both a start and stop trigger for each new OmniEngine capture window that you create.
OmniPeek User Guide
Note You cannot set start and stop triggers on an existing OmniEngine capture window that was not created with either a start or stop trigger. To set start and stop triggers: 1. Open the OmniEngines window and connect to an OmniEngine. 2. Click the Captures tab of the OmniEngine. 3. Click the Insert button in the right pane to create a new capture window. The Capture Options dialog appears. 4. Select the Triggers options.
5. Select the Start trigger check box to enable a start trigger.
Click the Trigger Event button to configure the event that will start the capture. You can set one or more of the following types of trigger events:
Time trigger events: Capture starts when a user-specified time occurs. If you select a time trigger, you can also specify a date to use as well. Filter trigger events: Capture starts when the selected filter event(s) occurs. Bytes captured: Capture starts after the specified number of bytes are allowed to pass through the capture buffer.
353
Note When one or more start trigger event options are selected, capture starts when any of the trigger events occur.
Select the Notify check box to send a notification of the selected severity when the start trigger event occurs. Select the Start capture check box to start a capture when the start trigger event occurs.
6. Select the Stop trigger check box to enable a stop trigger. Note If you do not select the Stop trigger check box, packet capturing started by a start trigger continues indefinitely until it is aborted manually by the user.
Click the Trigger Event button to configure the event that will stop (or abort) the capture. You can set one or more of the following types of trigger events:
Time trigger events: Capture stops when a user-specified time occurs. If you select a time trigger, you can also specify either a specific time, elapsed time, or date. Filter trigger events: Capture stops when the selected filter event(s) occurs. Bytes captured: Capture stops after the specified number of bytes are captured into the capture buffer.
Select the Notify check box to send a notification of the selected severity when the stop trigger event occurs. Select the Stop capture check box to stop a capture when the stop trigger event occurs.
7. Select the Repeat mode check box if you want to reset the start trigger each time the stop trigger is activated. This option is only available when both the Start trigger and Stop trigger check boxes are selected. Note Repeat mode allows you to capture multiple occurrences of the same event(s) with a single capture window. 8. Click OK to close the Capture Options dialog. If a start trigger was defined, the Start Capture button in the capture window turns into the Start Trigger button (if no start trigger was defined, the Start Capture button does not change). 354 Setting triggers
OmniPeek User Guide
Tip The status bar at the bottom left of the capture window provides information about the current state of the capture window. 9. Click the Start Trigger button to turn on the triggers. The Start Trigger button turns into the Abort Trigger button. Important! If a start trigger was defined, packet capture does not begin until the start trigger event defined above occurs. Once packet capture begins, the Abort Trigger button turns into the Stop Capture button.
355
CHAPTER Sending Notifications

In this chapter:
16
About notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Configuring notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Creating a notification action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
357
Chapter 16: Sending Notifications
About notifications
Notifications are messages sent from triggers, alarms, Analysis Modules, and other parts of the program to announce and describe the occurrence of specified events on the network. Each notification is assigned a level of severity that indicates the importance of the notification. Whenever a notification is sent, the assigned level of severity will trigger any actions that are configured to start when the level of severity is generated by the program. There are four levels of severity:
Informational Minor Major Severe
The level of severity is set by the function generating the notification. For triggers, alarms and some Analysis Modules, the user can set the level of severity directly. Other Analysis Modules are coded to always assign a certain severity to notifications of a particular event. Analysis Modules can also be limited to a capped range of severities, overriding their internal coding. For information about how functions generate notifications, see Setting triggers on page 350 and Chapter 19, Applying Analysis Modules.
Configuring notifications
To configure notifications: 1. Choose Tools > Options. The Options dialog appears. Note To configure notifications from an OmniEngine, open the OmniEngines window and connect to an OmniEngine. 2. Click the Notifications options. (For an OmniEngine, select the Notifications tab.)
358 About notifications
OmniPeek User Guide
Any actions currently defined are displayed. By default, the Log action is the only action defined when no other actions have been created. The buttons in the Notification views are as follows:
Insert: Click this button to create a new action. Edit: Click this button to edit the selected action. (Double-clicking an Action also lets
you edit the selected action.)

Duplicate: Click this button to duplicate the selected action. Delete: Click to delete the selected action. Test (OmniPeek console only): Click to edit the long and short messages of a sample
notification, set the severity of the test notification, then test the notification settings for that severity level.
Refresh (OmniEngine only): Click to refresh the view.
Configuring notifications
359
Note Click the Insert button to define a new action. See Creating a notification action on page 360. 3. For each action, select the level of severity check box that will start the action whenever the level of severity is generated by the program. The four levels of severity are:
Informational Minor Major Severe
4. Click OK.
Creating a notification action

To create a notification action in OmniPeek: 1. Choose Tools > Options. The Options dialog appears. Note To create notifications from an OmniEngine, open the OmniEngines window and connect to an OmniEngine. 2. Click the Notifications options. (For an OmniEngine, select the Notifications tab.) 3. Click the Insert button. The Insert Action dialog appears.
4. In the Action box, type a name for the new action. 5. In the Type list, select the type of action. You can select from the following:
360 Creating a notification action
OmniPeek User Guide
Log: This action sends the notification to the log file. Email: This action sends notifications as email messages. The text of the notification
is included in the body of the message.

Execute: This action lets you run a program that you specify. Text Log: OmniEngine only) This action lets you write the notification to a text file stored in the OmniEngine Data Folder. The Data Folder is configured in the General
view of the OmniEngine Configuration Wizard. (See the OmniEngine Getting Started Guide for details.)
Sound: (OmniPeek only) This action lets you play an audio *.wav file. Syslog: This action sends a syslog message. The text of the notification is included in
the body of the message.

SNMP Trap: This action sends notifications as SNMP trap messages. The text of the notification is included in the body of the message.
Note The MIBs directory contains the MIB file that supports the SNMP Trap action in notifications. In a typical default installation, this directory is at C:\Program Files\WildPackets\OmniPeek\MIBs. Selecting an action, except for the Log action, displays additional fields in the dialog that allow you to configure the action. Click Help on the dialog to learn more about the available settings and configurations. Note For OmniEngines, the source for a notification must also be specified. See Sources of OmniEngine notifications on page 362. 6. Click OK. The new action is added to the Notifications view. Note For OmniEngines, you must also click the yellow bar above the list of actions in order to send the changes to the OmniEngine. 7. For the new action, select the level of severity check box that will start the action whenever the level of severity is generated by the program. See Configuring notifications on page 358. 8. Click OK.
Creating a notification action
361
Sources of OmniEngine notifications

In an OmniEngine, you must specify the source of notifications to which an action will respond. The Edit Action dialog lets you select the source for an action.
Source
The sources of notifications for an OmniEngine are:
Peek Agent: Peek Agent is an OmniEngine itself. It generates notifications on the occurrence of events directly related to OmniEngine functions such as the start and stop of an OmniEngine itself. Alarms: Alarms are any alarms enabled in the Alarms view of any active capture window
on the OmniEngine.
Expert: Expert is the Expert view and Expert analysis functions in any active capture window on the OmniEngine. FTP Plugin: FTP Plugin is the FTP Analysis Module running on the OmniEngine. Peek Capture: Peek Capture is any active capture window running on an OmniEngine. A capture window generates notifications of changes in its overall state, such as start and stop of capture, a tripped trigger, and so forth. Web Plugin: Web Plugin is the Web Analysis Module running on the OmniEngine.
When a Source is selected, the action will be used to send (or respond to) notifications from that source, but only when the notification also has a level of severity that matches one of the levels of severity enabled for the Action in the Notifications view of the OmniEngines window. For example, you can create an Action that responds only to notifications that have Alarms as their source. If you then enable this Action only for notifications with a severity level of Severe (using the tools in the Notifications view), the Action will respond only to a notification generated by an Alarm that also has a severity level of Severe.
362 Creating a notification action
CHAPTER Using the Name Table

In this chapter:
17
About the name table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Adding entries to the name table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 OmniPeek name resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Loading and saving name table data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Using the OmniEngine trust table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
363
Chapter 17: Using the Name Table
About the name table

The OmniPeek Name Table is used for constructing and maintaining symbolic names for network devices and processes. When you first start capturing packets, devices on your network will typically be identified by their logical or physical addresses. The Name Table lets you assign symbolic names to addresses, ports and protocols. When you are collecting monitor statistics, OmniPeek scans all traffic for logical and symbolic names in the contents of passing packets. You can control how and whether these passively discovered names are added to the Name Table. The Name Table interacts with open OmniEngine capture windows in order to perform name resolution functions. See OmniPeek name resolution on page 368. You can also use the Name Table and the OmniEngine Trust Table to set a trust value for any physical address in the Name Table. See Using the OmniEngine trust table on page 371.
Adding entries to the name table

OmniPeek ships with a default Name Table. There are several ways to create new Name Table entries for your network devices. You can:
Add names manually with the Insert dialog. Highlight items in other views and click the Insert Into Name Table button. Highlight one or more items in other views and click the Resolve Names button. Select Enable passive name resolution in the Name Resolution view of the Options dialog. Use the Import button in the Name Table window to load previously saved versions of the Name Table.
Note Choose View > Display Format > Name Table Entry to display packets and statistics in the program.
The name table window

Choose View > Name Table to open the Name Table.
364 About the name table
OmniPeek User Guide
Add Group Delete Edit Insert Import Export Make Filter
Name: The symbolic name you assigned. Type: Type of address, port, or protocol. Address, Protocol, Port: The value that allows OmniPeek to identify the address, port, or protocol. For example, an address of the Type IP will show a dotted decimal number in the Address column and a protocol of the Type LSAP will show the one-byte hexadecimal discriminator in the Protocol column.
The Address tab also has columns for Node Type and Trust, which are configured in the Edit Name dialog. See Adding and editing name table entries manually on page 366. Tip Click the column headings to sort entries in the table.
Insert: This button opens the Insert Name dialog. Edit: This button opens the Edit Name dialog with the details of the selected entry filled in and ready to edit. When a Group is highlighted, it brings up the Edit Group dialog with the name of the highlighted Group ready to edit. Delete: This button deletes the selected entry. Add Group: This button opens the Add Group dialog in which you can create a new group
folder. You can drag entries into and out of group folders.
Import: This button opens a dialog in which you can specify the Names file to load into the
Name Table.
The name table window
365
Export: This button opens a Save dialog allowing you to save the contents of the Name
Table.
Make Filter: This button opens the Insert Filter dialog with an untitled filter matching the
information in the selected Name Table entry.
Adding and editing name table entries manually

To enter the name table entry manually: 1. Choose View > Name Table. 2. Do one of the following:
Click the Insert button. The Insert Name dialog appears. Select the entry you wish to edit and click the Edit button. The Edit Name dialog appears.
3. Complete the dialog. The Node type options let you choose an icon representing this entry, including Workstation, Server, Router, Switch, Repeater, Printer, or Access Point. Note Click the Help button on this dialog to learn more about available options and settings. 4. Choose a Trust value for this entry. See Trusted, known, and unknown nodes on page 367. 5. Click OK to add the entry to the Name Table. Note Symbolic names assigned to protocols in the Name Table will not override names provided by ProtoSpecs. See ProtoSpecs on page 287.
366 Adding entries to the name table
OmniPeek User Guide
Adding names from other windows

You can add to the Name Table or change name assignments for addresses by choosing device and protocol entries from other displays in the program. Any window that can show individual devices can be used as a source of names for the Name Table. This includes the following windows and views:
Node Statistics window for monitor statistics Packets, Expert, Nodes, WLAN, and Peer Map views in capture windows Packet Decode windows
To add information from selected items to the Name Table: 1. Select an item in one of the appropriate views to be entered into the Name Table. 2. Right-click and choose Insert Into Name Table. This opens a dialog (titled to match the appropriate view) with edit fields already filled in to match your selection. 3. Follow the instructions for making manual entries and edits to the Name Table. See Adding and editing name table entries manually on page 366. Note You can only apply the Insert Into Name Table command to one entry at a time. If multiple entries are selected, each one will be brought up in a separate dialog.
Trusted, known, and unknown nodes

You can use the Name Table to set Trust attributes for any physical address in the Name Table. This is particularly useful for monitoring security in 802.11 WLAN environments.
Unknown: This is the default value, assigned to any node that is automatically added to the Name Table. Known: This is an intermediate value, letting you identify familiar sources that are beyond your own control, such as an access point in a neighboring office. Trusted: This is the value you can assign to the devices on your own network.
There are two ways to set Trust values: You can set these values in the same way as any other Name Table attributes. See Adding and editing name table entries manually on page 366. You can right-click any node in the WLAN Statistics window or the WLAN view of a capture window and choose a Trust value.
Adding names from other windows
367
If the node is already in the Name Table, its Trust value will be updated. If the node is not yet in the Name Table, the program will silently add the node, using its physical address as the Name for the new entry. If the node is identified in the WLAN view as an access point, the Node type of the new Name Table entry will also be set to Access Point. Tip You can set alarms and send notifications based on Trust. The Expert view can also use Trust information. Setting the Trust attributes for your network makes intrusion detection fast, accurate, and easy.
OmniPeek name resolution

OmniPeek can actively resolve IP device or host names on your network if DNS is reachable. Once names are resolved, they can be added automatically to your Name Table, where the names will be available to replace logical address entries for devices in any displays. To resolve names manually: 1. Select the nodes or packets whose addresses you wish to resolve. You can do this directly in any window that shows the individual nodes. 2. Click the Resolve Names button in the header of the window in which youve selected the items, or right-click and choose Resolve Names. OmniPeek will use your network to find the names of the IP addresses of the selected packets. You must have an adapter available for network services, and DNS must be reachable over the network. Once names have been resolved, you will see name entries substituted for logical addresses in all displays. Tip You can also look up the address of an IP name by clicking the Resolve Name button in the Edit Name dialog.
Important! Name resolution requires an active network connection. 802.11 WLAN adapters cannot be used for network services when they are in use for monitoring or capture. The WildPackets Gigabit cards can never be used for network services. For more information, see Supported adapters on page 5.
Configuring name resolution

Name and address resolution is controlled through the Name Resolution options of the Options dialog.
368 OmniPeek name resolution
OmniPeek User Guide
Choose Tools > Options to open this dialog, and click the Name Resolution option. The Name Resolution options are identified below.
Name replacement options: Use the radio buttons in this section to determine how the
program will use new information about names and addresses to automatically update the Name Table. Click the Help button to learn more about the available options and settings.
Assign names to physical addresses: Select this check box to automatically add names for
the physical addresses found in the same packet as the logical addresses being resolved. You may choose to add a short text string to the end of all names assigned by this function. Before resolving names and automatically assigning names to physical addresses, it is recommended that you manually add names for the physical address of intermediate link devices such as routers.
Append text: Select this option and enter any text to append to the end of all names
assigned by this function.

Enable passive name resolution: When this check box is selected and Monitor Statistics
are enabled, the program examines all incoming packets found on the active monitor adapter for symbolic names it can add to the Name Table. It adds these names according to the rules you set down in the Name replacement options section. You can:
Accept the default group Passively Resolved Names. Choose another Name Table group as the location in which to put all name and address pairs discovered by passive name resolution. This is particularly useful when
Configuring name resolution
369
much of the traffic from outside the local network uses symbolic names, as Web traffic does.
Remove unused names afterdays: Select this option to keep the Name Table from
becoming overgrown with unnecessary data. Tip In some environments, large numbers of new names may be discovered each day through passive name resolution. If a name is encountered before its time is up, the clock for this item is restarted. In this way, you can ensure that all passively added names in the Name Table have been seen in network traffic at some time during, for example, the past two days.
Loading and saving name table data

You can load and save the contents of the Name Table, allowing you to keep descriptions of different segments, or to simply store and retrieve different ways of looking at the same segment.
Loading a previously saved name table

You can load the contents of previously built and saved Name Tables, including any Name Table files you may have created manually or exported using other WildPackets analyzers. The program recognizes the following files as Name Tables: *.nam, *.txt (tab delimited), and *.csv (comma delimited) files. To load the names from another Name Table into the current Name Table: 1. Choose View > Name Table. The Name Table window appears. 2. Click the Import button or choose a previously used Name Table from the list beside the Import button. 3. Choose one of the following:
Click Yes in the dialog asking Delete all entries before importing? if you would like to replace the existing Name Table with the imported names. Click No to add the imported names to the current Name Table.
4. Navigate to the location of the file you wish to load. 5. Choose this file and click OK.
370 Loading and saving name table data
OmniPeek User Guide
Tip You can also use drag and drop to add the contents of a saved Name Table file to the existing Name Table. Simply drag the Name Table file onto the open Name Table window.
Saving the name table

You can save all or a selected subset of the OmniPeek Name Table to a new file. If you are managing several networks, it may be useful to build and store Name Tables for each of the networks you support. To save the entire contents of the current Name Table under a new name: 1. Choose View > Name Table. The Name Table window appears. 2. Click the Export button. 3. Choose a location in which to save the file. 4. Click OK. Tip You can also save selected names from the Name Table. Group folder information is preserved when exporting either individual entries or the entire Name Table. To save selected names from the current Name Table into a new Name Table file: 1. Choose View > Name Table. The Name Table window appears. 2. Select the entries you wish to export. Tip You can use Ctrl + click and Shift + click to highlight multiple entries. 3. Right-click and choose Export Selected. 4. Choose a location in which to save the file. 5. Click OK.
Using the OmniEngine trust table

In the OmniEngines window, the Trust Table tab of an OmniEngine allows you to associate physical addresses with a trust value. See Trusted, known, and unknown nodes on page 367. Note The Trust Table tab is not supported on OmniEngine Linux.
Saving the name table
371
OmniEngine uses the Trust information from the Trust Table in the Expert, WLAN, and Summary statistics views. You can also set alarms and send notifications based on Trust.
OmniEngine trust table tab

Select the Trust Table tab for a connected OmniEngine in the OmniEngines window.
Edit Click here to send changes Insert Delete Refresh
The Trust Table tab allows you to associate 802.11 WLAN addresses with a trust value: Trusted, Known, or Unknown. These values are used by the WLAN and Summary views of an OmniEngine capture window. The parts of the Trust Table tab are identified below.
Insert: Click to open the Insert dialog, where you can enter the physical address (MAC
address) of the entry and choose one of the three Trust values for this node.
Trusted: Can be assigned to the devices on your own network. Known: Lets you identify familiar sources that are beyond your own control, such as an access point in a neighboring office. Unknown: The default value, assumed for any node not listed in the Trust Table.
Edit: Click to edit the selected entry. Delete: Click to delete the selected entry.
Refresh: Click to update your view of the remote Trust Table with the most recent changes.
372 Using the OmniEngine trust table
OmniPeek User Guide
Click here to send changes: Click to send your changes to the OmniEngine.
Note Making changes to the trust values of entries on an OmniEngine is a two step process: first make the changes in the Insert dialog, then send the changes to the OmniEngine.
OmniEngine name resolution

When an OmniEngine capture window is open, entries in the OmniPeek Name Table can be applied to the display of information in that window. You can also use the name resolution features in OmniPeek for logical and physical addresses in OmniEngine. SeeOmniPeek name resolution on page 368. Important! The Expert, WLAN and Summary views of an OmniEngine capture window use the values found in the Trust Table of the OmniEngine on which they are running, not the trust values displayed in the OmniPeek Name Table.
OmniEngine name resolution
373
374 Using the OmniEngine trust table
CHAPTER Viewing Logs

In this chapter:
18
About logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 OmniPeek global log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 OmniEngine global log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 OmniPeek capture logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 OmniEngine capture logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
375
Chapter 18: Viewing Logs
About logs
Logs record program processes and events, including program start and stop, notifications, severity levels of notifications, etc. OmniPeek has a global log for the program as a whole as well as individual logs for each OmniPeek capture. See OmniPeek global log on page 376 and OmniPeek capture logs on page 379. OmniEngines have a global log for each OmniEngine as well as individual logs for each OmniEngine capture. See OmniEngine global log on page 377 and OmniEngine capture logs on page 381.
OmniPeek global log

To view the OmniPeek global log, choose View > Log Window. The OmniPeek Log window appears at the bottom of the main window.
Log entries Messages Messages by level of Severity
The parts of the OmniPeek Log window are identified below:
Messages: Shows the total number of messages in the log. Messages by level of Severity: Shows total number of messages by each level of severity.
You can toggle between hiding and showing the notifications of any level of severity by clicking the severity icon.

376 About logs
Log entries: Each log entry displays a severity of notification icon and the Date, Time, and Message.
Right-click the log for the following options:
OmniPeek User Guide
Save Log: Saves the log as a text file (tab-delimited or comma separated values). Print Log: Prints the log to a printer. To alter default print settings, choose Print Setup from the File menu. Copy: Copies selected lines from the log to the clipboard as tab-delimited text. Copy Hyperlink: Copies selected hyperlinks from the log to the clipboard. Open Hyperlink: Opens selected hyperlinks from the log into your browser. Clear Log: Clears or empties the log. Maximum Log File Size: Opens a dialog in which you can change the maximum
size for the Log file, in kilobytes (the default is 4MB). When the limit is reached, the log will delete older entries to make room for newer entries.
Auto Scroll: Toggles the Auto Scroll feature of the log.
Tip The Web Analysis Module writes URLs it discovers in network traffic to the log. You can access that Internet resource by double-clicking on the URL directly in the Log window. This launches your default Internet browser and opens the selected URL. You can float the Log window inside of the main window by dragging the OmniPeek Log title to the main window. Double-click the OmniPeek Log title to dock the log back to the bottom of the main window.
OmniEngine global log

To view the OmniEngine global log, select the Log tab for a connected OmniEngine in the OmniEngines window.
OmniEngine global log
377
Chapter 18: Viewing Logs Log entries Messages Messages by level of Severity Search
The parts of the OmniEngines Log tab are identified below:
Tip You can toggle between hiding and showing the notifications of any level of severity by clicking the severity icon at the top of the window.
Search: Allows you to search text displayed in the Message column of the log. Separate
multiple search terms with a white space, or the AND, OR, or NOT (capitalized) operators. A white space is treated like the AND operator.
Copy: Copies selected lines from the log to the clipboard as tab-delimited text. Copy Hyperlink: Copies selected hyperlinks from the log to the clipboard. Open Hyperlink: Opens selected hyperlinks from the log into tabs in your browser. Clear Log: Clears the contents of the log.
378 OmniEngine global log
OmniPeek User Guide
Global Messages Only: Toggles between showing global messages only or all
messages. The global messages are those relating solely to an OmniEngine itself, such as start and stop events.
Highlight Search Terms: Highlights the search terms found in the log.
Note The Expert log for each OmniEngine capture window is a separate entity. All other log entries on a single OmniEngine are stored in a single database. When the database becomes full, old entries are deleted to make room for newer entries.
OmniPeek capture logs

There are several differences between the global log and the Log views of OmniPeek capture windows:
The Log view of an OmniPeek capture window contains only the items that are relevant to that particular capture. The OmniPeek global log contains the results from all packets used to calculate monitor statistics on OmniPeek. See Monitoring network statistics on page 276. The entries in the Log view of an OmniPeek capture window are temporary. The log is created when the window is opened and is not saved when the window is closed. The Log view of a capture window has a log limit defined in terms of number of log messages allowed in the log. You can select or enter the maximum (Max) number of log messages allowed in the log, and then select or enter the number (Adjust) of log messages to delete once the number of log messages reaches the maximum. The oldest messages are deleted first.
Note To change the default log size in new capture windows, choose Tools > Options. The Options dialog appears. See Configuring the Options dialog on page 408. To view the OmniPeek capture window log, select the Log view in the capture window.
OmniPeek capture logs
379
Chapter 18: Viewing Logs Log entries Messages Messages by level of Severity Search
The parts of the Log view of an OmniPeek capture window are identified below:
Messages: Shows the total number of messages in the log. Messages by level of Severity: Shows total number of messages by each level of severity. Search: Allows you to search text displayed in the Message column of the log. Separate
Save Log: Saves the log as a text file (tab-delimited or comma separated values). Print Log: Prints the log to a printer. To alter default print settings, choose Print Setup from the File menu.
380 OmniPeek capture logs
OmniPeek User Guide
Copy: Copies selected lines from the log to the clipboard as tab-delimited text. Copy Hyperlink: Copies selected hyperlinks from the log to the clipboard. Open Hyperlink: Opens selected hyperlinks from the log into tabs in your browser. Clear Log: Lets you clear the contents of the log. Auto Scroll: Toggles the Auto Scroll feature of the log. Highlight Search Terms: Lets you highlight search terms found in the log.
OmniEngine capture logs

To view the OmniEngine capture window log, select the Log view in the OmniEngine capture window.
Log entries Messages Messages by level of Severity Search
The parts of the Log view of an OmniEngine capture window are identified below:
OmniEngine capture logs
381
Chapter 18: Viewing Logs
Note Entries to the Log view of an OmniEngine capture window are also written to the Log tab of an OmniEngine, unless Global Messages Only is selected from the context menu. See OmniEngine global log on page 377.
Search: Allows you to search text displayed in the Message column of the log. Separate
Copy: Copies selected lines from the log to the clipboard as tab-delimited text. Copy Hyperlink: Copies selected hyperlinks from the log to the clipboard. Open Hyperlink: Opens selected hyperlinks from the log into your browser. Clear Log: Clears the contents of the log. Global Messages Only: Lets you toggle between showing global only or all messages. The global messages are those relating solely to an OmniEngine, such as start and stop events. Highlight Search Terms: Lets you highlight search terms found in the log.
382 OmniEngine capture logs
CHAPTER Applying Analysis Modules

In this chapter:
19
About analysis modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Enabling and configuring analysis modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 Installed analysis modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
383
Chapter 19: Applying Analysis Modules
About analysis modules

Analysis Modules are external plug-ins that provide additional highly focused analysis features to the program. An Analysis Module tests network traffic and provides detailed summaries and counts of key parameters, posting its results to the Summary Statistics windows and to the Summary column of the Packets view of capture windows. Enabled Analysis Modules are applied to traffic captured in real time and to packets in the buffer of a capture window. You can enable and disable Analysis Modules in OmniPeek individually. In addition, many Analysis Modules have user-configurable options, which can be used to further refine the data you collect about your network. The Analysis Modules shipped with OmniPeek cover a wide range of the most common protocols and network applications. An SDK is available for users to write their own Analysis Modules to report on proprietary protocols or applications, or to present statistics of interest in a particular environment. Visit http://mypeek.wildpackets.com for more information. Note OmniEngines with Analysis Modules use a subset of the Analysis Modules available in OmniPeek. For a complete list, see OmniEngine analysis modules on page 386.
Enabling and configuring analysis modules

Choose Tools > Options to open the Analysis Modules options.
Click Analysis Modules in the navigation pane to view a list of available Analysis Modules. The parts of the Analysis Modules options are identified below.
384 About analysis modules
OmniPeek User Guide
Enabled: Select or clear the check box beside its name to enable or disable the Analysis
Module.
Display: Select the check box beside its name to allow the Analysis Module to write details about the packet to the Summary column in the Packets view of any capture window. Notify: Select the check box beside its name to tell the Analysis Module to send
notifications when it detects certain events. For more on associating notifications with actions, see Chapter 16, Sending Notifications.
Max severity: This column allows you to set an upper limit for the severity of the
notifications coming from each particular Analysis Module. Each Analysis Module assigns its own level of severity to each type of event it is able to detect. It tries to assign that predetermined severity to any notification of that event. For example, if you enable notification for an Analysis Module and set the maximum severity to Minor and the Analysis Module then tries to send notifications of Severe, Major, or Minor severity; they will all be treated as Minor.
Options: Click this button to open an Options dialog for the selected Analysis Module.
The button will be grayed out if the selected Analysis Module does not have userconfigurable options. Alternatively, double-click the Analysis Module to open its corresponding Options dialog.
About: Click this button to display an About Box for the selected Analysis Module.
Apply analysis module command

Analysis Modules are usually applied to packets as they arrive in the buffer from the network, or as they are loaded from a file. Analysis Modules are also re-applied each time the contents of the buffer is changed by hiding or unhiding packets. To apply the IP Analysis Module to selected packets in a Packet List: 1. Select the packet(s) to which you would like to apply the IP Analysis Module. 2. Right-click, choose the Apply Analysis Module command and select IP Analysis from the submenu. This applies the IP Analysis Module to the selected packet(s) and allows the Analysis Module to write to the Summary column. A message dialog appears showing the number of your selected packets which were processed by the Analysis Module you applied. If the dialog shows less than the total number (for example 2 of 3 packets applied), it means that the Analysis Module you applied did not find the relevant information. 3. Click OK to close the message dialog.
Apply analysis module command
385
Using analysis modules

Analysis Modules process packets each time the packets are loaded into a buffer. This means the same Analysis Module may process the same packet several times, but with the results posted to different places in OmniPeek, depending on which buffer is involved. OmniPeek maintains one buffer for monitor statistics and separate buffers for individual capture windows or files. Important! Analysis Modules that are enabled in the Analysis Modules view of the Options dialog can be disabled in the Analysis Options view of the Monitor Options or Capture Options dialog for optimizing performance in individual cases. However, an Analysis Module cannot be enabled in the Analysis Options view that has been disabled in the Analysis Modules view of the Options dialog.
Installed analysis modules

For full descriptions and instructions for applying each Analysis Module, see Appendix D, Analysis Modules.
OmniEngine analysis modules

Analysis Modules operating on OmniEngine captures are enabled and disabled as a group rather than individually, in the Analysis Options view of the OmniEngine Capture Options dialog. The following Analysis Modules are available in OmniEngines:
802.11 Analysis Module AppleTalk Analysis Module Email Analysis Module FTP Analysis Module ICMP Analysis Module IP Analysis Module MPLS-VLAN Analysis Module NCP Analysis Module NetWare Analysis Module RADIUS Analysis Module SCTP Analysis Module
386 Installed analysis modules
OmniPeek User Guide
SMB Analysis Module SQL Analysis Module Telnet Analysis Module VoIP Analysis Module WAN Analysis Module Web Analysis Module
OmniEngine analysis modules
387
388 Installed analysis modules
CHAPTER Using AutoCapture

In this chapter:
20
About AutoCapture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Creating and editing AutoCapture files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Using an AutoCapture file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
389
Chapter 20: Using AutoCapture
About AutoCapture
The OmniPeek AutoCapture feature allows the user to automatically start multiple capture windows, each with its own buffer size, adapter selection settings, save options, triggers, filters, and performance settings. When capture in all windows is completed, the AutoCapture function sends the resulting capture files by a user-specified method, and checks for any capture windows having triggers set for Repeat mode. If any capture windows have triggers set for Repeat mode, the AutoCapture file resets the start trigger for these windows. If no capture window has Repeat mode enabled, the AutoCapture file exits the application when the actions specified in the Send options are completed. AutoCapture settings are saved in a file which can be sent to a remote user. Remote users can double-click the file to run it immediately, or schedule the file to run using the Windows Scheduler. Note The AutoCapture function is not supported in OmniEngines.
Creating and editing AutoCapture files

Creating and editing AutoCapture files involves selecting an adapter, defining an AutoCapture template, and selecting Send options. To create or edit AutoCapture (*.wac) files, choose one of the following:
Choose File > AutoCapture > Create New. The AutoCapture File Options dialog appears, with New AutoCapture File Options in the title bar. Choose File > AutoCapture > Edit Existing. The AutoCapture File Options dialog appears, with the name of the *.wac file in the title bar.
The parts of the AutoCapture File Options dialog are identified below.
390 About AutoCapture
OmniPeek User Guide
Insert
Edit
Delete
Import
Export
Move Up Move Down
Log file: You can specify the name and location of a text Log file for the AutoCapture file,
or accept the default location (where the new AutoCapture (*.wac) File resides). Each of the actions taken by the AutoCapture file will be appended to the end of the specified log file in text format.
Monitor Adapter: Use the programs default adapter, or click the Edit button to specify one
or more search methods for locating an adapter. See AutoCapture adapter search on page 391. The programs default adapter is the valid adapter (an actual NIC, not File or None) most recently selected as the Monitor Adapter in the Monitor Options dialog.
Capture templates: Click the Insert, Edit, Delete, Import, or Export button to create new or modify existing AutoCapture templates. See AutoCapture templates on page 394. Send options: Click the Insert, Edit, or Delete button to create new or modify existing Send AutoCapture file options, or change their list order by clicking the Move Up or Move Down button. See AutoCapture send options on page 396.
AutoCapture adapter search

To search for an adapter, follow these steps: 1. Click the Edit button to the right of the Monitor Adapter section in the AutoCapture File Options dialog. The AutoCapture version of the Capture Options dialog appears.
391
Chapter 20: Using AutoCapture Properties Move Up Edit Delete Move Down
Insert
2. Click Adapter Search in the navigation bar. 3. Use the buttons at right to Insert, Edit, or Delete adapter search routines, or use the Move Up and Move Down buttons to change the order of adapter search routines. To define a new adapter search method: 1. Click the Insert button. The Adapter Search dialog appears.
2. Use the radio buttons to choose the adapter search method you wish to use:
Search string: This choice selects the first adapter whose description contains a
match with the text in the user-supplied search string. You can constrain the search to be Case sensitive and/or to Match whole string. You can see examples of the adapter descriptions over which this Adapter Selection method will search in Windows Device Manager and in the Device Description in
392 Creating and editing AutoCapture files
OmniPeek User Guide
the lower pane of the Adapter view of either the Monitor Options or the Capture
Options dialog.
First active: This choice selects the first active, usable adapter in the list of adapters installed on the host computer. User selection: This choice opens the Adapter view of the Capture Options dialog, from which a user must actively choose an adapter.
3. Click OK to add the search method to the list in the AutoCapture Capture Options dialog. If no adapter search method is listed in the Monitor Adapter section of the AutoCapture File Options dialog, the program will attempt to use its default adapter. If adapter search methods are listed, the AutoCapture file will attempt to use them in the order specified before attempting to use the default adapter. To edit an existing adapter search method: 1. Highlight an item and click the Edit button. The Adapter Search dialog appears with that methods parameters displayed and ready to edit. 2. Click OK to accept your changes. To delete an adapter search method: 1. Highlight the item in the Adapter Search view of the special AutoCapture Capture Options dialog. 2. Click the Delete button. To change the order of adapter search methods: 1. Highlight the item in the Adapter Search view of the special AutoCapture Capture Options dialog. 2. Click the Move Up (or Move Down) button. After an AutoCapture (*.wac) file has been run successfully, it remembers the adapter it last used. The next time it is run, it first attempts to use that same adapter, regardless of any settings in the Adapter search section. If that attempt fails, it then runs through the adapter search choices.
AutoCapture adapter search types

There are two levels of adapter search in an AutoCapture file:
The settings in the Monitor Adapter section of the AutoCapture File Options dialog provide the default adapter for the AutoCapture file as a whole.
393
The settings in the Adapter Search view of the Capture Options dialog for each separate capture template within the *.wac file define the method for selecting the adapter for the capture window made from that template. The adapter selected for the AutoCapture file as a whole is treated as the default adapter by the Adapter Search settings of each individual capture template.
An AutoCapture Adapter Search method can also have properties set in the following views:
802.11 view (for 802.11 WLAN adapters). See Configuring wireless channels and
encryption on page 414.

Hardware Profiles view (for Gigabit analyzer cards). See Configuring hardware profiles for OmniAdapters on page 426.
Settings in any of these views which do not match the adapter ultimately selected as the Monitor Adapter will be ignored. Note The 802.11 view in the special AutoCapture version of the Capture Options dialog differs from all other such views in one respect. Lists of channels are not restricted in this 802.11 view, and any channel may be chosen. However, you must select channels appropriate to the adapter that will be chosen in order for capture to take place.
AutoCapture templates
AutoCapture files use capture templates to create capture windows. Each template creates one capture window. A single AutoCapture file can have multiple capture templates and create multiple capture windows. You can use existing capture templates, or you can create or modify capture templates from within the AutoCapture File Options dialog. Note In general, a single capture template can define multiple capture windows. This is not true inside an AutoCapture file. If you import the settings from a multi-window capture template, it will be read into the AutoCapture file as a distinct template for each capture window. To create a new AutoCapture template, follow these steps: 1. Click the Insert button in the Capture templates section of the AutoCapture File Options dialog. The General view of the Capture Options dialog appears. 2. Specify the name, buffer usage, and packet slicing for this capture template. For more information, see Configuring capture options on page 34. 3. Select Continuous capture and Save to disk in order to use AutoCapture Send options. See AutoCapture send options on page 396. 394 Creating and editing AutoCapture files
OmniPeek User Guide
4. Select Triggers in the Capture Options navigation bar. 5. Set a stop trigger for the capture template. See Setting triggers on page 350. Important! A stop trigger must be set for each capture template, or the capture will never terminate and no files will be sent. Capture must stop in all the capture windows created by a given AutoCapture file before any files will be sent. Automatic saving of captured packets is only supported under the Continuous capture setting in the General view of the Capture Options dialog. Under the Continuous capture setting, only active user intervention or a stop trigger will stop capture. 6. Click OK to add this template to the list of AutoCapture templates in the AutoCapture File Options dialog. Tip You can use the Analysis Options view of the Capture Options dialog to selectively disable program functionality to reduce overhead and speed operation. Because the primary purpose of AutoCapture is to collect packets for later analysis, you can typically disable all functions except capture itself. See Optimizing capture performance on page 411. To add a previously saved capture template to the list: 1. Click the Import button. 2. Use the file Open dialog to navigate to the location of the capture template (*.ctf) file you wish to add. 3. Choose the file and click OK to add it to the list. To save a capture template from the list: 1. Highlight its entry in the list. 2. Click the Export button. 3. Use the Save As dialog to name the template and navigate to the location where you would like to save the capture template (*.ctf) file. To edit the Capture Options for a particular capture template: 1. Highlight the template in the Capture templates section of the AutoCapture File Options dialog. 2. Click the Edit button. The Capture Options dialog with that templates parameters displayed and ready to edit. 3. Click OK to close the dialog and accept your changes.
AutoCapture templates
395
Tip A similarly named filter file will automatically be imported from the same location as the AutoCapture (.wac) file when starting an AutoCapture session. The filter will be added to the existing list. To delete a capture template from the list: 1. Highlight the listing for that template in the Capture templates section of the AutoCapture File Options dialog. 2. Click the Delete button.
AutoCapture send options

When capture is stopped in all capture windows, the program attempts to send a single capture file using the first send option listed in the Send options section of the AutoCapture File Options dialog. If the first send option fails, the program tries any remaining send options in the order in which they are listed. All capture files are sent using the first send option that succeeds, and any remaining send options are ignored. If no send option succeeds, no capture files are sent. Important! You must save captured packets before they can be sent using the Send options. This means you must enable the Continuous capture and Save to disk options in the General view of the Capture Options dialog for each template. There are three types of send option: Email, FTP, and Command line. You can create multiple instances of the same type (for example, multiple Email send options, each using a different server), but only the first successful send option will actually be used by the program. To create a new send option, follow these steps: 1. Click the Insert button in the Send options section of the AutoCapture File Options dialog. The Send Options dialog appears.
396 Creating and editing AutoCapture files
OmniPeek User Guide
2. Use the radio buttons to choose the type of option:
Email: Sends the capture files as attachments in email, one file per email. You must
specify a valid email Server, and valid email addresses in the To and From edit boxes. The Subject line is optional.
FTP: Copies the capture files to the specified Path (directory) using FTP. You must specify a valid FTP Server, a valid User name and Password for that server, and the Path to a valid directory on that server. Command line: Executes the specified command line instruction on each capture file in turn. Enter a valid command line in the text entry box, using the string %1 as a
substitute for the file names of the capture files. For example, to copy the files to the C:\temp\ directory, the command line would be:
copy %1 C:\temp\
3. Click OK to create the specified send option and close the dialog. Note The Remove files after send completes option is enabled or disabled for each send option individually. The files are only removed if this option is enabled in the particular send option ultimately used to send the files, and is ignored when it is enabled in a send option that is not used. To edit a send option: 1. Highlight its entry in the Send options section of the AutoCapture File Options dialog.
AutoCapture send options
397
2. Click the Edit button to bring up the Send Options dialog with that options parameters displayed and ready to edit. 3. Click OK to accept your changes. To delete a send option from the list: 1. Highlight its entry in the Send options section of the AutoCapture File Options dialog. 2. Click the Delete button. The program will try the send options in order from top to bottom as they appear in the Send
options section of the AutoCapture File Options dialog.
To change the list order: 1. Highlight a list item. 2. Use the Move Up or Move Down buttons to move the item.
Using an AutoCapture file

To execute an AutoCapture, double-click an AutoCapture (*.wac) file or specify the file on the command line. For example:
omnipeek.exe c:\temp\Poitiers.wac
When launched with an AutoCapture file as its object, the program will: 1. Establish a log file, if one is specified for the AutoCapture file. 2. Search the directory where the AutoCapture (*.wac) file is located, looking for a file of the same name but with the filter (*.flt) file extension. If it finds such a filter file in that directory, it will import it into the Filters window. 3. Run through the adapter search methods in the Monitor Adapter section of the AutoCapture file to select a valid adapter. If multiple methods are enabled, they will be tried in the order specified, and the first successful selection will set the Monitor Adapter. 4. Create the capture window(s) specified by the capture template(s), executing the Adapter search methods (if any) specified by each individual capture template. The adapter found by the methods specified in the Monitor Adapter section of the AutoCapture file will become the fall-back or default adapter for each of these individual adapter searches. 5. Start capture or set the start/stop triggers for each capture window. 6. Wait for all capture windows to stop capturing.
398 Using an AutoCapture file
OmniPeek User Guide
Important! Be sure to enable the Continuous capture and Save to disk options and set a Stop Trigger for every capture template in the AutoCapture file. No files will be sent until capture is stopped in all capture windows. Packets must be saved before they can be sent. 7. Run through the Send options to send or save any capture files. The first successful send option will be used to send all of the files. 8. Remove the sent or saved files if Remove files after send completes is selected for the Send Option used. 9. Check to see if any of the created capture windows has triggers set to repeat mode. For any capture window for which Repeat mode is enabled, the AutoCapture file will clear the capture buffer and return to step 5. 10. If no capture window has triggers set to Repeat mode, the AutoCapture file will exit the program when the send options are completed.
Using AutoCapture files as scheduled tasks

The program can also be scheduled with the Windows Task Scheduler, available from the Windows Control Panel. The easiest way to use an AutoCapture file as a scheduled task is to create a batch file (*.bat) with the desired command line, then schedule the batch file to run at a specified time in the Task Scheduler. See Starting OmniPeek from the command line on page 494.
Using AutoCapture files as scheduled tasks
399
400 Using an AutoCapture file
CHAPTER Sending Packets

In this chapter:
21
About sending packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Selecting the send adapter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Sending the send packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Editing the send packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
401
Chapter 21: Sending Packets
About sending packets

You can send as well as receive packets, when a supported adapter capable of network services is selected as the send adapter. The Send Packets feature lets you test potential problems actively without having to wait for events to reveal a possible source of trouble. You can use the Send Packets feature to generate a very small amount of network traffic, or to probe specific computers to observe their reactions. You can also check network connections by using the Send Packets feature at the computer being checked, while using a second computer to observe the resulting activity. Developers can also use the Send Packets feature to test protocol implementations. Note The Send Packets feature is not available from an OmniEngine capture window.
Selecting the send adapter

Before you can send packets, you must first select an adapter as the send adapter. To select a send adapter: 1. Choose Send > Select Send Adapter.
2. Select a supported network adapter. 3. Click OK.
402 About sending packets
OmniPeek User Guide
Important! If you are using a wireless adapter and the adapter you select as the send adapter is also currently selected as the monitor adapter or a capture adapter, you will not be able to send packets with this wireless adapter. Please select another wireless adapter or stop capture before using the Send Packets feature. In addition, the WildPackets OmniAdapters are optimized for capture and cannot send packets.
Sending the send packet

A generic packet is available to use as the default send packet. You can also select any packet from the Packets view of an active window and use that packet as the send packet. There are three ways to send packets:
Send a single copy of the send packet out on the network. Send bursts of multiple copies of the send packet at specified intervals. Send a selected packet or group of packets in a single burst.
CAUTION! Setting a Broadcast or a Multicast packet as the send packet will cause all nodes to process this packet and force switches to forward the packet onto all segments. To set the parameters for send events: 1. Choose Send > Send Window. The Send window appears.
The settings in the dialog are described below:
Packets per burst: Type or select the number of packets in a single burst. Delay between bursts: Type or select the interval between bursts.
Sending the send packet
403
Transmit One: Click this button to send exactly one of the specified send packet. Initiate Send: Click this button to send packets % Utilization / Packets/s: These digital readout dials show the % utilization (percent of utilization of maximum network bandwidth) and packets/s (packets per second) represented by the packets being sent in the current send event. Packets sent: Displays the total number of packets sent in the current send event. Reset: Click this button to reset the dialog to its default values.
2. Configure the dialog for one of the send options described below. a. To send a single copy of the send packet onto the network:
Select the send packet in the Packets view of a capture window. Right-click and select Set Send Packet. Click the Transmit One button in the Send Window dialog.
b. To send bursts of multiple copies of a packet onto the network: Select the send packet in the Packets view of a capture window. Right-click and select Set Send Packet. Alternatively, choose Send > Set Send Packet. Configure the Packets per burst and Delay between bursts in the Send Window dialog. Click the Initiate Send button in the Send Window dialog.
c. To send selected packets onto the network in a single burst: Select the send packets in the Packets view of a capture window. Right-click and select Send Selected Packets. Alternatively, choose Send > Send Selected Packets. Click the Initiate Send button in the Send Window dialog.
CAUTION! Sending large volumes of traffic onto the network can slow down service for other users. Also, if you set the Send window to send a large number of packets with too small an interval, you may prevent your computer from doing any of the other tasks that it does normally.
404 Sending the send packet
OmniPeek User Guide
Editing the send packet

You can edit the contents of the send packet to customize the data sent across the network. To edit the contents of the send packet: 1. Choose Send > Edit Send Packet. The Edit Send Packet window appears. The layout of the Edit Send Packet window is similar to that of the Packet Decode window, with a Decode view above and Hex pane (containing hexadecimal and ASCII data) below.
2. Make your edits to either the hexadecimal or ASCII data. As you make your edits, the Decode view is updated. 3. Click OK when you have finished making your edits.
Editing the send packet
405
406 Editing the send packet
CHAPTER Configuring Options

In this chapter:
22
Configuring the Options dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Configuring display format options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Configuring color options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Customizing the tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Optimizing capture performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
407
Chapter 22: Configuring Options
Configuring the Options dialog

Many features in OmniPeek are configured in the Options dialog. Note Click the Help button in each of these views to learn more about specific options and settings. To open the Options dialog:
Choose Tools > Options.
You can configure the following from the Options dialog:
Workspace: These options let you set the default behavior for scrolling, saving, and
restoring windows.
Capture Button: These options let you configure color and flash settings for the Start Capture, Stop Capture, and Start/Stop/Abort Trigger buttons in a capture window. List Views: These options let you set the background color and how vertical and horizontal lines appear whenever a list view is displayed. Fonts: These options let you set the font, style, and size of the text used throughout
the application.
Name Resolution: These options let you control how name and address substitutions
are handled in the Name Table. See OmniPeek name resolution on page 368.
408 Configuring the Options dialog
OmniPeek User Guide
Client/Server Colors: These options let you control the color display of clients and servers in Expert and Web views. See Setting client/server colors on page 186. VoIP: These options let you specify a geographical region and VoIP emulation model
to use when calculating VoIP quality scores. See Setting VoIP options on page 271.
Units: These options let you set the units for time and throughput in Expert and Visual Expert views. See Setting units for time and throughput on page 187. Analysis Modules: These options let you configure the Analysis Modules. Analysis Modules process packets each time they are loaded into a buffer for monitor statistics and capture windows. See Enabling and configuring analysis modules on page 384. Notifications: These options let you configure Notifications. Notifications are messages sent from triggers, alarms, Analysis Modules and other parts of the program to announce and describe the occurrence of specified events. See Configuring notifications on page 358. Warnings: These options let you control the behavior of automatic warning dialogs that appear in the application. Matrix Switches: These options let you control Datacom and/or Net Optics matrix
switches that are installed and connected. See Chapter 27, Using Matrix Switches.
Key Set: These options let you create and edit Key Sets used for 802.11 security. See
Configuring wireless channels and encryption on page 414.

ORA Groups: These options let you manage OmniPeek Remote Assistant files between computers. See Chapter 25, OmniPeek Remote Assistant. GPS: These options let you enable and configure the GPS (Global Positioning
System) feature. GPS allows you to analyze data provided by a separately purchased GPS receiver. See Chapter 26, Global Positioning System.
Configuring display format options

You can configure how certain information is displayed in various lists, such as the Nodes view, Packet List pane, and the Node Statistics window. The Display Format submenu (choose View > Display Format) has the following options:
Show Address Names: Enable this option to display a nodes name from the Name Table
(if any) instead of its address whenever packets are encountered to or from the node.
Show Port Names: Enable this option to display a ports name from the Name Table (if any) instead of its address whenever packets are encountered to or from the port.
Configuring display format options
409
Logical Address: Enable this option to display logical addresses instead of physical addresses, wherever logical addresses are available. Physical Address: Enable this option to display physical addresses instead of logical addresses, wherever physical addresses are available. Local Time: Enable this option to show all timestamps adjusted for local time settings
(such as time zone and Daylight Savings Time) on the local computer. When disabled, all timestamps are displayed in UTC (Coordinated Universal Time).
Configuring color options

You can configure how colors already assigned in other dialogs will be used in displaying packets. There are four sources of color assignments for elements of network traffic:
The Flags view of the Packet List Options dialog (available by left-clicking anywhere in the Packet List pane headers) determines the color associated with error or trigger packets. You can also assign a color to 802.11 WLAN management packets and control packets, as well as to encrypted packets and/or to packets with decryption errors. The Edit Name dialog in the Name Table can set the color for packets associated with a particular address (node), port, or protocol. ProtoSpecs assigns colors to all the protocols it can identify. ProtoSpecs color choices cannot be overridden. The Insert Filter or Edit Filter dialog can set the color for any filter you create or edit.
The Color submenu (choose View > Color) has the following options:
Source: Shows packets destined for a particular node in the color assigned to that node in the Name Table. Destination: Shows packets destined for a particular node in the color assigned to that
node in the Name Table.

Protocol: Shows packets in the color assigned to protocols by ProtoSpecs. If ProtoSpecs cannot identify the protocol and the protocol is listed in the Name Table and has a color assigned there, then the color assigned in the Name Table will be used. Filter: Shows packets that are captured through a filter in the color assigned to that filter in the Edit Filter dialog. Flag: Shows packets that have been flagged in the color assigned to trigger, error, and other flagged packet types in the Packet List Options dialog. Independent: Shows each of the above items in its own assigned color. No Color: Turns off all color coding.
410 Configuring color options
OmniPeek User Guide
Customizing the tools menu

You can add other WildPackets programs to the Tools menu, allowing you to start these programs from within OmniPeek. To add a program to the Tools menu: 1. Choose Tools > Customize. The Customize Tools Menu dialog appears.
2. Click the Insert button. 3. Type the Menu text to set the name of the tool as it will appear in the Tools menu. 4. Type or browse to the location of the tool in the Command field. Tip You can also enter any Arguments for the program and set its initial directory by typing the path or using the (ellipsis) button to navigate to its location. 5. Click OK to accept your changes.
Optimizing capture performance

You can increase capture or monitor performance by selectively disabling certain analysis options and subsequently freeing up system resources. The Analysis Options of either the Capture Options or Monitor Options dialog lets you enable or disable various options for the currently selected adapter. To enhance capture performance: 1. Do any of the following to open the Capture Options or Monitor Options dialog:
Choose Capture > Start Capture.
Customizing the tools menu
411
Click New Capture from the Start Page. Choose Monitor > Monitor Options.
Note For an OmniEngine, open the OmniEngines window, click the Captures tab, and then either create a new capture window or click the Capture Options icon for an existing capture to open the Capture Options dialog. 2. Click the Analysis Options view.
3. Select the various options that you want enabled. The colored bar at the bottom displays the relative capture performance achieved as you enable or disable options. Disabling options will move the indicator to the right (maximum performance), while enabling functions will move the indicator to the left (minimum performance). 4. Click OK. Note You can highlight the Analysis Modules (OmniPeek console only), Node Statistics, Node/ Protocol Detail Statistics, Protocol Statistics, and Voice & Video Analysis options and then click the Details button to display additional options for controlling the use of resources by these options. Click the Help button on the dialogs that appear for information on the available options and settings.
412 Optimizing capture performance
CHAPTER
23
Capturing Data for Wireless Analysis

In this chapter:
About 802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Configuring wireless channels and encryption . . . . . . . . . . . . . . . . . . . . . . . . . 414 Troubleshooting WLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Optimizing wireless analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Roaming latency analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
413
Chapter 23: Capturing Data for Wireless Analysis
About 802.11
You can use OmniPeek to capture and monitor 802.11 WLAN traffic on your network. A supported wireless adapter must be selected as the capture or monitor adapter, and the adapter must have the appropriate WildPackets wireless driver installed. Check the Readme in the driver folder (for example, C:\Program Files\WildPackets\OmniPeek\Driver) for installation instructions. You can also download the appropriate drivers from http:// www.wildpackets.com/support/downloads/drivers. See also System requirements on page 5 and Supported adapters on page 5 for additional information on wireless adapters and driver requirements. Important! Changes made to the settings of a particular adapter are applied whenever that adapter is selected as the capture or monitor adapter.
Configuring wireless channels and encryption

When a wireless adapter is selected as the capture or monitor adapter, you can specify the channel settings used by the adapter to listen for traffic on your 802.11 WLAN. You can choose to listen for traffic occurring on a specific channel, or scan a range of channels. Additionally, if WEP, WPA (using a pre-shared key), or WPA2 (using a pre-shared key) encryption is enabled on your network, you can define or select key sets used to decrypt the WEP, WPA, or WPA2 encryption. To configure wireless channels and encryption: 1. Open the Capture Options or Monitor Options dialog. Note For an OmniEngine, you will need to open the 802.11 tab of the Adapter Options dialog. To open the Adapter Options dialog, click the Adapters tab in the OmniEngines window and then click Options for the selected wireless adapter. 2. Select the 802.11 options (or 802.11 tab).
414 About 802.11
OmniPeek User Guide
3. Select the option for selecting channels:
Number: Select this option to specify a specific channel, and then select the channel from the list. Scan: Select this option to scan for traffic on multiple channels. You will need to click
the Edit Scanning Options button to select the channels. See Edit scanning options below.
Configuring wireless channels and encryption
415
4. If WEP, WPA, or WPA2 encryption is enabled on your network, select the key set used to decrypt the WEP, WPA, or WPA2 encryption. See Edit key sets on page 417 to define or edit key sets.
Edit scanning options

From the 802.11 options in the Capture Options or Monitor Options dialog, you can specify and configure channels to scan. Scanning multiple channels can be invaluable when troubleshooting interference or optimizing the location and channel choice for new access points. Channel scanning is often used in conjunction with the WLAN, Channel, and Signal statistics. Note If WPA/WPA2 encryption using a pre-shared key is enabled on your network, we recommend not enabling the Edit Scanning option in order to make sure that all packets required for decryption are captured. A four-way (WPA2) or six-way (WPA) handshake authentication establishes the PTK (Pairwise Transient Key) and GTK (Group Transient Key) used for encryption. All of the EAPOL key exchanges must be captured to derive the PTK and GTK. To select channels to scan: 1. Open the Capture Options or Monitor Options dialog. 2. Select the 802.11 options. 3. Select the Scan option and then click the Edit Scanning Options button. The Channel Scanning Options dialog appears, listing the channels appropriate to the current adapter.
4. Select the check box of the channels you want to include in the scan. (Right-click inside the dialog to display options for enabling and disabling channels.)
416 Configuring wireless channels and encryption
OmniPeek User Guide
Tip Click a value in the Duration column to configure the amount of time you want OmniPeek to listen for traffic on the channel. 5. Click OK.
Edit key sets

From the 802.11 options in the Capture Options or Monitor Options dialog, you can define or edit key sets used to decrypt WEP, WPA, or WPA2 encryption. You must first display the Key Sets dialog in order to define or edit a key set. To display the Key Sets dialog: 1. Open the Capture Options or Monitor Options dialog. 2. Select the 802.11 options. 3. Click the Edit Key Sets button. The Key Sets dialog appears.
4. Click one of the buttons in the dialog to insert, edit, duplicate, or delete a key set.
Defining a new key set

To define (insert) a new key set: 1. From the Key Sets dialog, click the Insert button. The Edit Key Set dialog appears.
Edit key sets
417
2. Enter the Name for the key set. 3. Select the key type from the list:
WEP: 64-bit Shared Key: The key that you enter must consist of 10 hexadecimal
digits (0-9, A-F). You can define up to four keys.



WEP: User defined length Shared Key: The key that you enter can consist of an arbitrary length (0-9, A-F; up to 506 hex characters, or 253 bytes). You can define up to four keys. WPA/WPA2: 256-bit Pre-Shared Key: The key that you enter must consist of 64
hexadecimal digits (0-9, A-F). Only one key can be defined.

WPA/WPA2: Passphrase: You must enter both the Phrase (the same passphrase used in configuring the access point for WPA/WPA2) and SSID (the name of the wireless network) to use in creating the pre-shared Key (which appears as the Key).
Note In all of these cases, the encryption algorithm adds an additional three bytes to the keys.
Tip You can clear the Hide typing check box to show the actual characters of the hex number used for the key set and passphrase contents. Selecting the Hide typing check box adds another level of security by replacing the actual characters on the screen with dots. 4. Enter the key set(s) or Passphrase for the key type you have selected. 418 Configuring wireless channels and encryption
OmniPeek User Guide
5. Click OK. For information on applying a key set to decrypt all or some of the WEP or WPA-encrypted packets directly from either the Packets view or packet decode window, see Applying decryption in the Packets view on page 102 or Decoding packets on page 108.
Editing a key set

To edit an existing key set:
From the Key Sets dialog, select a key set and click the Edit button. The Edit Key Set dialog appears. The steps to edit the key set are essentially the same as when you define the key set, as explained above.
Duplicating a key set

To duplicate an existing key set: 1. From the Key Sets dialog, select a key set and click the Duplicate button. A copy of the key set is immediately added to the existing list. 2. You can edit the copy of the key set as explained above.
Deleting a key set

To delete an existing key set: 1. From the Key Sets dialog, select a key set and click the Delete button. 2. Click Yes to delete the key set.
Troubleshooting WLAN
To troubleshoot a WLAN, you must first capture the wireless data carrying the WLAN information. Capturing data for wireless analysis can be broken down into two main categories: portable and distributed. The type of data captured and retained varies depending on the intended use of the data. OmniPeek is designed for troubleshooting and root cause analysis, therefore it captures and stores every 802.11 packet.
Portable analysis
Portable analysis requires that the analyst be present at the source of data collection with the appropriate hardware and software to perform the analysis. Portable analysis using OmniPeek is typically done with a laptop computer running OmniPeek, using one or more supported wireless adapters.
Troubleshooting WLAN
419
Distributed analysis
Distributed analysis allows the analyst to collect data from remote locations and analyze the data locally. This eliminates costly visits to remote locations for portable analysis. OmniPeek supports two primary methods for distributed analysis.
Remote Adapters
If you have an Aruba or Cisco access point (remote adapter) that supports the WildPackets API, you can stream packets from one or more of those adapters into a wireless capture window in OmniPeek. See Capturing Packets from an Aruba Remote Adapter on page 43 or Capturing Packets from a Cisco Remote Adapter on page 44. Note Capturing packets from either an Aruba or Cisco remote adapter is not supported from an OmniEngine.
OmniEngines
OmniEngines provide data capture and analysis 24 hours a day without requiring ongoing monitoring by the analyst. OmniEngines are Windows software or Linux appliances (Omnipliances) that are designed for continuous, remote operation. For wireless analysis, supported wireless adapters need to be added to enable wireless capture. OmniEngines are controlled using OmniPeek as a console. See Chapter 2, Using OmniEngines with OmniPeek.
Optimizing wireless analysis

OmniPeek is designed for a wide range of analysis tasks, but very often only a limited set of analysis options are pertinent to the task at hand. Here are some guidelines for configuring various analysis options to optimize performance for wireless analysis:
Analysis Options: The analysis capabilities of OmniPeek are broken down into functional options. It is often the case that not all functional analysis options will be needed for the work being done. Turning off unnecessary analysis options will improve OmniPeek performance. To view and turn off unneeded analysis options when starting a new capture, see Optimizing capture performance on page 411.
Note If you later find that you need a certain analysis option that you disabled, and you saved the packet capture files, just enable the analysis option and open the packet file to see the newly enabled analysis results.
420 Optimizing wireless analysis
OmniPeek User Guide
Expert Event Analysis: In addition to functional analysis options, OmniPeek continually monitors the network for Expert events, network anomalies, and suboptimal performance at all layers of the network, from application to physical. It also shows network events associated with wireless-specific anomalies and VoIP calls. Each individual Expert event can be enabled or disabled separately. It is important to review the Expert events to ensure that events you want to analyze are enabled. Once a capture is started, choose any one of the Expert Views from the left-hand navigation of the main Capture Window, and then click on the Expert EventFinder Settings icon. The Expert EventFinder Settings dialog box will appear, allowing each individual Expert event to be configured and enabled or disabled. Pay special attention to the VoIP and Wireless Expert Events, as these can be extremely useful in identifying VoWLAN issues before they become serious problems. Multichannel Analysis: Multichannel analysis allows multiple, simultaneous captures on unique wireless channels with all captured packets analyzed as if it is a single capture. This is extremely useful for analyzing situations where users are roaming from channel to channel, or when it is known where a problem is but not what channel the wireless client is using. See Capturing Packets from an Aggregator Adapter on page 42. Roaming: Roaming latency analysis provides detailed information every time a wireless client moves from one AP to another. Roaming latency analysis requires multichannel analysis since roaming typically involves a change in channel. See Roaming latency analysis on page 422.
Note Roaming assumes wireless clients are moving from one channel to another. If the capture is for a single channel, no roaming will be detected or reported. If the capture is scanning, roaming will be detected and reported but the latency measurements will not be accurate. For best results, roaming should be used along with the Wireless Channel Aggregator. See Capturing Packets from an Aggregator Adapter on page 42.
The VoIP Dashboard: The Voice & Video dashboard provides a visual summary of voice and video calls, including VoWLAN calls, as well as useful graphs and statistics to troubleshoot and analyze voice and video traffic. See Voice & Video dashboard on page 64. Voice & Video Views: The Voice & Video views in capture windows provide simultaneous analysis of voice and video traffic, including VoWLAN calls, with subjective and objective quality metrics. The Calls view displays one row for each call in a capture. and the Media view displays one row for each RTP media flow in a call. See Voice & Video view window on page 254.
Optimizing wireless analysis
421
Roaming latency analysis

Roaming latency is the amount of time it takes for a wireless device to move from one access point to another. This is also known as re-association. You can use OmniPeek to perform roaming latency analysis by measuring the amount of time between the last known data packet for a device on one access point, and the first data packet seen for that device on another access point. This is extremely useful in determining whether latency is caused by devices on the network, applications on the network, or the network itself. Roaming latency analysis requires multichannel analysis since roaming typically involves a change in one or more channels. See Capturing Packets from an Aggregator Adapter on page 42. Once you have started capturing from one or more of the wireless adapters, you can see the roaming latency data displayed in the three Roaming views: Log, by Node, and by AP.
Log
The Log view displays a log entry each time a roaming device is detected.
422 Roaming latency analysis
OmniPeek User Guide
by Node
The by Node view displays an entry for each device, and maintains an average latency value for that device.
by AP
The by AP view displays an entry for each access point, and maintains an average latency value for that AP.
by Node
423
424 Roaming latency analysis
CHAPTER Configuring Analyzer Cards

In this chapter:
24
About analyzer cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Configuring hardware profiles for OmniAdapters . . . . . . . . . . . . . . . . . . . . . . . 426
425
Chapter 24: Configuring Analyzer Cards
About analyzer cards

The WildPackets analyzer cards (OmniAdapters) are separately purchased cards used exclusively with WildPackets appliances. OmniAdapters are optimized for full-duplex or 10 Gigabit Ethernet capture. For card installation instructions, hardware setup, technical specifications, and related information, please see the documentation that ships with the card. If you have an OmniAdapter already installed, you can define one or more hardware profiles for the card from within OmniPeek. See Configuring hardware profiles for OmniAdapters. Important! Changes made to the settings of a particular adapter are applied whenever that adapter is selected as the capture or monitor adapter.
Configuring hardware profiles for OmniAdapters

The Hardware Profiles view of the Capture Options or Monitor Options dialog allows you to define and manage hardware profiles that are used with OmniAdapters. Packet slicing, error packet capture, and filters based on address or port are implemented on the card in hardware. Note Only one hardware profile can be implemented on an OmniAdapter at one time.
426 About analyzer cards
OmniPeek User Guide
Duplicate Edit Delete Insert
Import Export
All currently defined hardware profiles are listed in the Hardware Profiles view of the Capture Options or Monitor Options dialog. Note Click the Help button on the dialog to learn about the available options and settings. To create a new hardware profile: 1. Open the Capture Options or Monitor Options dialog. 2. Click the Hardware Profiles view. 3. Click the Insert icon. The Insert Hardware Profile dialog appears.
Configuring hardware profiles for OmniAdapters
427
Profile: Type a name for the profile. Color: Select a color for the profile. Comment: Type a comment to provide a more complete description of the hardware
profiles properties.
Slice packets to bytes (all channels): Select this option to enable packet slicing on
the card. The minimum entry is 16 bytes, and the length must be a multiple of 8 bytes. We recommend keeping the slice value at 128 bytes or greater.
Apply Channel 1 filter settings to all channels: Select this option to assign the same
properties to all channels as they are defined in the Channel 1 tab. Clear the check box if you want to define properties separately for each channel.
Discard error packets: Select this option to discard error packets. Reject packets matching this filter: Select this option to pass packets to OmniPeek
that do not match this filter.

Address filter: Select this check box to specify a filter parameter based on address. Port filter: Select this check box to specify a filter parameter based on address.
428 Configuring hardware profiles for OmniAdapters
OmniPeek User Guide
5. Click OK to accept your changes. The new hardware profile is listed in the Hardware Profiles view. Note Hardware profiles on the OmniAdapters automatically compensate for packets with Cisco ISL tags and 802.1Q VLAN tags, correctly identifying ports and addresses regardless of the presence of these tags. To export selected hardware profiles: 1. Select the hardware profiles in the Hardware Profiles view, right-click, and choose Export Selected. A Save As dialog appears. 2. Specify the location and name under for the hardware profiles (*.flt) file. Note Hardware profiles and the software filter files used in OmniPeek share the same *.flt file extension. OmniPeek can distinguish between hardware and software filters. For information on software filters, see Chapter 6, Creating and Using Filters.
Configuring hardware profiles for OmniAdapters on an OmniEngine

When an OmniAdapter is the selected adapter on an OmniEngine, the Hardware Profiles tab appears in the Adapter Options dialog.
429
Delete Duplicate Edit Insert
Import Export Uncheck All Refresh
Click here to send changes
To create a new hardware profile on an OmniEngine: 1. Select a OmniAdapter from the Adapters tab of the OmniEngines window. 2. Click Options for the adapter. The Adapter Options dialog appears. 3. Click the Hardware Profiles tab. 4. Click the Insert icon. The Insert Hardware Profile dialog appears. 5. Complete the Insert Hardware Profile dialog. Note Click the Help button on the dialog to learn about the available options and settings. 6. Click OK to add the new hardware profile to the list of profiles. 7. Click the Click here to send changes message to send your changes to the OmniEngine. Important! Because the hardware profile definitions reside on an OmniEngine, you must send all changes to an OmniEngine when you use the Insert, Edit, Duplicate, or Delete functions.
OmniPeek User Guide
Note The Export and Import icons open Save As and file Open dialogs that point to the computer on which the OmniPeek console is running.
431
CHAPTER OmniPeek Remote Assistant

In this chapter:
25
About OmniPeek Remote Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Generating an ORA management file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 Generating encrypted capture files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Opening an encrypted capture file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Importing an ORA management file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Exporting ORA management file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
433
Chapter 25: OmniPeek Remote Assistant
About OmniPeek Remote Assistant

OmniPeek Remote Assistant (ORA) is an easy to use, fully secure tool for troubleshooting wired and wireless networks. ORA allows remote users to easily collect critical network data needed for troubleshooting network problems. The network data (also known as captures) is fully encrypted and can only be accessed by the analyst requesting the data. Once the data has been collected and stored locally on the computer running ORA, the files can be transferred to the analyst for further investigation using OmniPeek Enterprise. There are three steps when using ORA:
First, the network analyst generates an ORA session to be sent to the remote user. This session is packaged in an ORA management file (an ZIP file containing an executable file and supporting files). Each ORA session can be based on an existing ORA group (using the same security key) or a new ORA group. See Generating an ORA management file on page 435. The second step is for the remote user to extract the files from the ORA management file, and then run the ORA executable. See Generating encrypted capture files on page 436. The third step is for the network analyst to open and analyze the files generated from the remote user. See Opening an encrypted capture file on page 438.
You can also import and export ORA management files. Importing ORA management files allows another OmniPeekORA user to analyze files that they did not generate themselves. See Importing an ORA management file on page 438. Exporting ORA management files allows a user to authorize another OmniPeekORA user to open and analyze files generated by the original user. See Exporting ORA management file on page 438. OmniPeek Enterprise includes five ORA licenses by default. Each license allows for unlimited analysis from one remote computer. To obtain additional ORA licenses, contact WildPackets sales.
434 About OmniPeek Remote Assistant
OmniPeek User Guide
Generating an ORA management file

To begin using ORA, an ORA session must be created and packaged in an ORA management file. The ORA management file is then sent to the remote user. To generate an ORA management file: 1. Choose Tools > Options. The Options dialog appears. 2. Click ORA Groups. The ORA Groups dialog appears.
3. Click New ORA. The New ORA dialog appears.
New ORA Group: Select this option to generate a new set of ORA management files,
and then enter a name for the ORA group. This allows you to create a new set of ORA management files with a new encryption key.
New ORA based on selected ORA group: Select this option to generate a new set of
ORA management files based on an existing ORA group (using the same security key). 4. Enter a file name and choose a location for the new ORA group. 5. Click Save. 6. Deliver the ORA management file to the remote user.
Generating an ORA management file
435
Generating encrypted capture files

All files created by ORA are encrypted. These files can only be decrypted and analyzed with computers having a unique security key. To generate encrypted capture files: 1. Obtain the ORA management file generated in Generating an ORA management file on page 435. 2. Double-click the ZIP file to extract the contents of the file to a location on the target computers hard disk. 3. Double-click the ORA application file (OmniPeekRemoteAssistant.exe). The main program window appears. The parts of the main program window are described below.
Adapter List: The adapter list lets you choose from an available list of wired and wireless network adapters installed on the ORA computer. You cannot select a combination of both wired and wireless adapters.
If a wireless network adapter is selected, the Channel drop down menu is enabled, allowing the selection of a wireless channel.
436 Generating encrypted capture files
OmniPeek User Guide
Note If you are using a supported wireless network adapter, check with your network analyst to ensure you have the appropriate WildPackets supported wireless driver installed. You must have a supported wireless adapter and driver to capture 802.11 traffic.
File Properties: The File Properties let you choose a folder path and specify the maximum rollover file size of a file before a new file is created. The folder path can be entered directly into the folder path edit box, or selected by clicking the browse button. All files created by ORA are saved as encrypted WildPackets capture files (*.pke), and are appended with a timestamp so that each new file created with the same folder path and file name is unique. Capture Control: The Capture Controls let you start and stop captures. The Start and Stop buttons are enabled only when the configuration is correct. The Start button is
disabled until a valid adapter has been selected. Once the capture has been started, the main program window, except for the Stop button, is disabled. While the capture is running, the Total Packets, Total Bytes, and Capture Duration are displayed in realtime. When the Stop button is clicked, the main program window is reenabled. 4. In the Adapter List, select one or more wired adapters, or one or more wireless adapters. You cannot select a combination of both wired and wireless adapters. 5. In the File Properties, enter or select a folder path for your encrypted capture files. Each file that is created includes a prefix (default prefix is Packet) and timestamp in its filename. The file is saved as a WildPackets encrypted capture file (*.pke). Note Entering a folder path to anything other than an existing folder, essentially creates a new filename prefix for the encrypted capture files. 6. In the File Properties, specify a rollover file size (in MBs) for each capture file before a new capture file is created. 7. Click the Start button to begin generating capture files. 8. Click the Stop button when you want to stop generating capture files. 9. Deliver your encrypted capture files to your network analyst per their instructions.
Generating encrypted capture files
437
Opening an encrypted capture file

Encrypted ORA capture files (*.pke) can be opened in OmniPeek in the following ways:
Double-click the file from Windows Explorer Choose File > Open
Importing an ORA management file

Importing an ORA management file allows another OmniPeekORA user to analyze files that they did not generate themselves. The user simply imports the ORA management file from the original computer that generated the ORA session. Once imported, any *.pke files generated with that ORA/encryption key combination can be opened and analyzed. To import an ORA management file: 1. Choose Tools > Options. The Options dialog appears. 2. Click ORA Groups. The ORA Groups dialog appears. 3. Click Import. 4. Select the ORA management file (*.zip). The ORA management file must have been previously exported by the original user using the ORA Groups dialog in OmniPeek. 5. Click Open.
Exporting ORA management file

Exporting an ORA management file allows a user to authorize another OmniPeekORA user to open and analyze files generated by the original user. The original user must export the ORA management file and make it available to the new user, who must then import the file. To export an ORA management file: 1. Choose Tools > Options. The Options dialog appears. 2. Click ORA Groups. 3. Click Export. 4. Name the ORA management file (*.zip). 5. Click Save.
438 Opening an encrypted capture file
CHAPTER Global Positioning System

In this chapter:
26
About GPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Enabling GPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Starting the WildPackets GPS daemon from the system tray. . . . . . . . . . . . . . 441 GPS columns in the Packets view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
439
Chapter 26: Global Positioning System
About GPS
GPS (Global Positioning System) is a system of navigational satellites. Commercially available GPS receivers can calculate and report their geographical position and other navigational data (called a fix) based on signals transmitted by these satellites. OmniPeek can display data provided by a separately purchased GPS receiver. For each packet, optional columns in the Packets view can show the GPS Time, Latitude, Longitude, Altitude, and Speed currently reported by the connected GPS receiver. This is especially useful if you needed to identify where you were when you received a set of packets. Note The GPS receiver requires clear access to the GPS satellites in order to display data in OmniPeek. For example, if you worked on a large military base, you might need to identify the reach of your wireless network. Using OmniPeek and the GPS receiver, you could drive around the base capturing wireless packets with the GPS device providing you with coordinates. The resulting captures would provide a set of packets with their signal strengths from your network and a set of coordinates for your location. OmniPeek uses a separate utility, the WildPackets GPS Daemon, as the interface between itself and your GPS receiver. The daemon supports GPS receivers that follow the NMEA (National Marine Equipment Association) 0183 standard which provides data in recognized GPS sentences (comma-separated ASCII data strings) in the GPRMC and GPGGA formats. Refer to the manufacturers instructions for your particular GPS receiver for information on how to use features of your GPS receiver.
Enabling GPS
To enable GPS in OmniPeek: 1. Connect a supported GPS receiver to the COM1 port on the computer running OmniPeek. 2. Turn on the GPS receiver. 3. In OmniPeek, choose Tools > Options. The Options dialog appears. 4. Click the GPS view.
440 About GPS
OmniPeek User Guide
Configure the GPS options:
Select the Enable GPS check box to start the WildPackets GPS Daemon whenever OmniPeek is started (or when you click the OK or Apply buttons of this dialog). See Starting the WildPackets GPS daemon from the system tray to learn more about using the WildPackets GPS Daemon. In the GPS communication port list, select the communications port (COM) to which the GPS receiver is connected. Select the Synchronize system clock to GPS time check box to update the system clock of the host computer to the time reported by the GPS receiver any time the system clock is more than 59 seconds out of sync with the GPS receiver time.
5. Click OK.
Starting the WildPackets GPS daemon from the system tray

The WildPackets GPS daemon provides another way (in addition to the Options dialog) to select the COM port used for GPS communication. GPS messages formatted in the NMEA standard are also displayed when you start the WildPackets GPS daemon from the system tray. To start the GPS Daemon from the system tray: 1. Double-click the WildPackets GPS Daemon icon in the Windows system tray.
The WildPackets GPS Daemon window appears.
Starting the WildPackets GPS daemon from the system tray
441
Chapter 26: Global Positioning System
2. Click the Refresh button to update the window.
GPS columns in the Packets view

In the Packets view of a capture window, you can show GPS data by displaying one or more columns related to GPS. Simply right-click an existing column head and select one of the GPS columns described in the table below.
Column GPS Time Latitude Longitude
Description Displays the time reported by the GPS receiver for the fix associated with this packet. Displays the latitude portion of the GPS fix associated with this packet, reported (N, north or S, south) in degrees, minutes, and decimal fractions of a minute. Displays the longitude portion of the GPS fix associated with this packet, reported (E, east or W, west) in degrees, minutes, and decimal fractions of a minute. Displays the altitude portion of the GPS fix associated with this packet. Reported in the measurement system appropriate to the local settings associated with the user in the operating system. (US users in feet, all others in meters.) Displays the speed portion of the GPS fix associated with this packet. Reported in the measurement system appropriate to the local settings associated with the user in the operating system. (US and UK users in miles per hour, all others in kilometers per hour.)
Altitude
Speed
442 GPS columns in the Packets view
OmniPeek User Guide
The following figure shows an example of the latitude and longitude columns in a capture window:
The GPS columns remain blank until GPS data is available. Once GPS data becomes available, the columns will show either GPS data or N/A. During capture, data is posted to these columns as it is passed from the GPS receiver by the WildPackets GPS Daemon. GPS receivers typically send a new fix every one or two seconds. The capture window will continue to use the last valid fix for a short interval. When the next fix is posted, the capture window will begin using this new fix for all captured packets. If the new fix is based on NMEA sentences flagged as invalid by the GPS receiver, the capture window will show N/A in the GPS columns. If a new fix is not presented within the time-out (a few seconds), the capture window will also begin to show N/A for all GPS columns. This can happen for any number of reasons. One of the most common causes is that the GPS receiver has temporarily lost contact with the satellites. Tip GPS receivers usually have their own integrated display. Each time they get a new fix, they typically send the data to the attached computer first, then update their display. If you are moving fast enough, you may notice some slight lag between the updates of the GPS display and the computer screen. The native format of GPS data for distance, speed, and altitude is expressed in metric or SI units (based on the meter). OmniPeek checks the operating system settings for the current user to determine which system of measurement is appropriate. If the local settings for the user indicate that the U.S. system of measurement should be used, then Altitude is displayed in feet and Speed is displayed in miles per hour. For a user in the UK, Altitude is in meters and
GPS columns in the Packets view
443
Chapter 26: Global Positioning System Speed is in miles per hour. For all other users, Altitude is in meters and Speed is in kilometers
per hour. Note Conversion to another measurement system is performed before data is posted to the capture window. When you save packets to a capture file, GPS data is saved in whichever measurement system is in use by the capture window. OmniPeek does not convert between measurement systems when opening a capture file.
444 GPS columns in the Packets view
CHAPTER Using Matrix Switches

In this chapter:
27
About matrix switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Creating a new switch configuration profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Configuring a matrix switch in OmniPeek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
445
Chapter 27: Using Matrix Switches
About matrix switches

Matrix switches let you create a great variety of interconnections between connected devices on your distributed network, allowing you to change focus from one network segment to another quickly and easily. OmniPeek provides support for matrix switches made by Datacom and Net Optics. Matrix switches can be installed on the computer running OmniPeek or on the OmniEngine. One or more matrix switch configuration profiles must be created using configuration utilities provided by the switch manufacturer and installed with OmniPeek. Note Matrix switches are not supported in OmniEngine Linux. The Matrix Switches options of the Options dialog allows you to control matrix switches connected to the computer running OmniPeek. The Matrix Switches options of the OmniEngine Capture Options dialog allows you to control matrix switches connected to an OmniEngine.
Creating a new switch configuration profile

Before you can configure the Matrix Switches options in OmniPeek, you must use the configuration utilities provided by the switch manufacturer to first create at least one named matrix switch configuration profilea description of a matrix switch (or group of such switches) and the COM port used to communicate with it. The profiles are created on the computer where the matrix switch is connected. For matrix switches connected to an OmniPeek console, you can create switch configuration profiles directly from the Matrix Switches options of the Options dialog (click the Configure button). For matrix switches connected to an OmniEngine, you must run the configuration utility provided by the switch manufacturer directly from the computer where the matrix switch is connected.
Creating a profile for Datacom switches

You can create a switch configuration profile for either a Datacom matrix switch or a daisychain of Datacom matrix switches. The Datacom configuration utility (APISetup.exe) is installed when you installed OmniPeek or the OmniEngine. The default location of the utility is typically C:\Program Files\Common Files\WildPackets\Third-Party\Datacom\APISetup.exe. To create a switch configuration profile: 1. Connect the matrix switch to the COM port on the computer. Refer to matrix switch documentation for instructions.
446 About matrix switches
OmniPeek User Guide
2. Run APISetup.exe on the computer where the switch is installed. The Add Matrix Switch dialog appears.
3. Click the Configure Daisy Chain tab to define a new record. 4. Configure the options:
Daisy Chain Record: Select a record from the list. If there are no existing records, New
is displayed.
Daisy Chain Name: Enter a name for the new configuration. Switch 1 Switch 4: If you have a single Datacom matrix switch, select the model number of the switch from the Switch 1 list.
If you are defining an actual daisy chain, select the model numbers of each of the switches, in the order in which they are daisy-chained together. Use the Switch 1 list to identify the first switch in the daisy chain.
Sequential Address: Click this button to set the addresses for each configured switch. Communication Port: Select the COM port to which Switch 1 is connected. This is the
port that OmniPeek uses to communicate with the Datacom matrix switch (or daisy chain of Datacom matrix switches) you have just defined.
Creating a profile for Datacom switches
447
5. Click the Save and Exit button to save your changes. The configuration you just created will now be available in the Configuration list of the OmniPeek console and OmniEngine Matrix Switches options.
Creating a profile for Net Optics switches

You can create a switch configuration profile for either a Net Optics matrix switch or a daisychain of Net Optics matrix switches. The Net Optics configuration utility (NetOptics.bat) is installed when you installed OmniPeek or the OmniEngine. The default location of the utility is typically C:\Program Files\Common Files\WildPackets\Third-Party\NetOptics\NetOptics.bat. To create a new switch configuration for a Net Optics matrix switch: 1. Connect the matrix switch to the COM port on the computer. Refer to matrix switch documentation for instructions. 2. Run NetOptics.bat file on the computer where the switch is installed. The Net Optics Matrix Switch dialog appears.
3. Click the Matrix Switch 1 tab to define the first switch. 4. In COM Selection, select the COM port to which Switch 1is connected. This is the port that OmniPeek uses to communicate with the Net Optics matrix switch (or daisy chain of Net Optics matrix switches) you are defining. 5. Click the Detection button to automatically find the switch settings. The utility polls the selected COM port. Depending on whether you have one, two, or three switches, select from the following:
One Net Optics switch: The model number is displayed next to Model Selection in the Matrix Switch 1 view.
448 Creating a new switch configuration profile
OmniPeek User Guide
Daisy-chain of two Net Optics switches:
Click the Matrix Switch 2 tab and click the Detection button on the Matrix Switch 2 view to display the model number for this switch. Return to the Matrix Switch 1 view and click the Detection button again to display the model number for the first switch.
Daisy-chain of three Net Optics switches:
Click the Matrix Switch 3 tab and click the Detection button on the Matrix Switch 3 view to display the model number for this switch. Click the Matrix Switch 2 tab and click the Detection button on the Matrix Switch 2 view to display the model number for this switch. Return to the Matrix Switch 1 view and click the Detection button again to display the model number for the first switch.
6. Click the Save and Exit button to save your changes. The configuration you just created will now be available in the Configuration list of the OmniPeek console and OmniEngine Matrix Switches options.
Configuring a matrix switch in OmniPeek

Once you have your switch configuration profiles created, you can configure the matrix switch in OmniPeek. See the appropriate section below for configuring a matrix switch from either an OmniPeek console or an OmniEngine. To configure a matrix from an OmniPeek console: 1. Choose Tools > Options. The Options dialog appears.
449
2. Select the Matrix Switches options. 3. Select the type of matrix switch from the Brand list. 4. Select the appropriate matrix switch configuration from the Configuration list. 5. Click the Configure button to start the Datacom or Net Optics configuration utilities if you havent already created a switch configuration profile for the matrix switch. 6. Select the analyzer port (Analyzer A, Analyzer B, and so forth) to which you wish to mirror traffic. The card connected to the selected analyzer port will receive the data. 7. Select the channel you wish to mirror to the selected analyzer port (Analyzer). Note You cannot mirror more than one network data port (Channel) to the same analyzer port (Analyzer), nor can you mirror a single network data port to more than one analyzer port. The relationship must always be one to one. 8. Click OK. To configure a matrix switch from an OmniEngine: 1. Open the OmniEngines windows and connect to an OmniEngine. 2. Click the Matrix Switches tab.
450 Configuring a matrix switch in OmniPeek
OmniPeek User Guide
3. Select the type of matrix switch from the Brand list. 4. Select the appropriate matrix switch configuration from the Configuration list. 5. Select the analyzer port (Analyzer A, Analyzer B, and so forth) to which you wish to mirror traffic. The card connected to the selected analyzer port will receive the data. 6. Select the Channel you wish to mirror to the selected analyzer port (Analyzer). Note You cannot mirror more than one network data port (Channel) to the same analyzer port (Analyzer), nor can you mirror a single network data port to more than one analyzer port. The relationship must always be one to one. 7. Click Apply to send the information to the OmniEngine when you have specified the port mirroring, The OmniEngine will make the appropriate changes to the switch, using the COM port and serial connection specified in the current Configuration. When you click the Apply button, the Matrix Switches options becomes blank. When the switch acknowledges your changes, the options are refreshed with the information reflecting the new information.
451
Tip Matrix switches do not report their current mirroring arrangements to OmniPeek or the OmniEngine, and these programs cannot automatically poll the switches to determine which Channel or data port is currently being mirrored to which Analyzer port. In practice, the only way to know for certain how a particular matrix switch is set up, is to send it new setup instructions, defining a new port mirroring arrangement. The switch will then acknowledge this new arrangement.
452 Configuring a matrix switch in OmniPeek
APPENDIX Menus and Keyboard Shortcuts

In this appendix:
File menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Capture menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Send menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Monitor menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Window menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
453
Appendix A: Menus and Keyboard Shortcuts
File menu
Menu item New Capture New Capture From Template Shortcut Ctrl + N Description Opens the Capture Options dialog to configure a new capture window. Creates a new capture window whose layout matches the template selected by one of the two methods below. Opens a file Open dialog wherein you can navigate to the capture window template of your choice. A list of the most recently used capture window templates. Choose one to create a new capture window using this template.
Choose (recent templates)
AutoCapture Create New Opens an empty AutoCapture File window in which you can define the parameters for a new AutoCapture file. Opens a file Open dialog in which you can navigate to the AutoCapture (*.wac) file of your choice. Ctrl + O Opens an OmniPeek capture file or other supported file type in a new capture file window. Closes the active window or file. Ctrl + S Opens the Save dialog to save all packets in the active window. Opens the Save dialog to save selected packets in the active window. This item is displayed as Save Filters, Save Graph, Save Names, or as Save Log, Save Node Statistics, and so forth, when the relevant window is active. Opens the Save Report dialog to choose the file format and location in which to save a report on any of several collections of statistics for the current capture window or capture file. Formats include text (*.txt, *.csv), HTML, or XML.
Edit Existing Open Close Save All Packets Save Selected Packets
Save Report
454 File menu
OmniPeek User Guide
Menu item Save Capture Template
Shortcut
Description Opens the Save dialog to save the Capture Options of the current capture window as a capture template (*.ctf), so it can be used to format subsequent new capture windows. Opens the Print Setup dialog for configuring printer functions.
Print Setup Print Print Selected Packets Ctrl + P
Prints the active window in a format appropriate to its type. Opens the Print dialog to allow you to print the Decode view of the selected packets as a single document. Displays various properties for the capture window. Following the Properties command is a numbered list of recently opened capture files.
Properties Recent File Exit Alt + F4
Quit OmniPeek.
Edit menu
Menu item Undo Redo Cut Copy Paste Insert Shortcut Ctrl + Z Ctrl + Shift +Z Ctrl + X Ctrl + C Ctrl + V Ins Description Undoes the last edit. Redoes the last edit. Cuts the highlighted item(s) and copies to the clipboard. Copies highlighted item(s) to the clipboard. Pastes the current contents of the clipboard. When the Filters window is active, opens the Insert Filter dialog; when the Name Table window is active, opens the Insert dialog. Deletes the highlighted item(s).
Delete
Del
Edit menu
455
Menu item Clear All Packets Select All Select None Invert Selection Select Packets
Shortcut Ctrl + B Ctrl + A Ctrl + D
Description Deletes all packets from the active capture window. Selects all packets, text, or items in a window. Removes all highlighting and selection. Unselects items that were selected and selects items that were unselected.
Ctrl + E
Opens the Select Packets dialog, where you can use filters, ASCII or hex strings, packet length, and Analysis Modules to select captured packets. Searches for and selects packets that provide best matches to the highlighted item(s), based on the set of characteristics chosen from the list below. Chooses packets with matching source address. Chooses packets with matching destination address. Chooses packets with matching source and destination addresses. Chooses packets in virtual LAN. Chooses packets with matching protocol. Chooses packets with matching port. Chooses packets sent between two nodes, using the matching protocol.
Select Related Packets
By Source By Destination By Source and Destination By VLAN By Protocol By Port By Flow Hide Selected Packets Ctrl + H
Removes selected packets from the display without deleting them. Hidden packets are not processed further. Removes unselected packets from the display without deleting them. Hidden packets are not processed further. Restores all previously hidden packets to normal status.
Hide Unselected Packets
Ctrl + Shift +H Ctrl + U
Unhide All Packets
456 Edit menu
OmniPeek User Guide
Menu item Copy Selected Packets to New Window Reprocess All Packets
Shortcut
Description Creates a temporary capture file window containing only the selected packets. Forces the same recalculation of all views without hiding or unhiding any packets. Changes to Reprocess VoIP Info when you hold down the Ctrl key before selecting the Edit menu. This reprocesses only the information in the VoIP tab.
Go To
Ctrl + G
Opens the Go To dialog where you can choose a packet number to jump to. If packets are selected, the number of the first selected packet is shown. Jumps to the next selected packet. Jumps to the previously selected packet. Opens the Find Pattern dialog to search for a user-defined string in specified parts of packets. Finds the next match in sequence to the previous Find Pattern search.
Go To Next Selected Go To Previous Selected Find Pattern Find Next
Ctrl + J Ctrl + Shift+ J Ctrl + F F3
View menu
Menu item OmniEngines Filters Name Table Log Window Alarms Display Format Ctrl + L Ctrl + M Shortcut Description Opens the OmniEngines window. Opens the Filters window. Opens the Name Table window. Opens the Log window. Opens the Alarms window. The following options control display format for nodes: Display using the names found in the Name Table when available.
Show Address Names
View menu
457
Menu item Show Port Names Logical Address Physical Address Local Time
Shortcut
Description Display using port names found in the Name Table Display using the logical address of the node where available. Display using the hardware (MAC) address only. Operates as a toggle setting. When enabled, the program shows all timestamps adjusted for local time settings, such as time zone and Daylight Savings Time. When unchecked, the program shows all timestamps as UTC (Coordinated Universal TIme). The following options control the use of color in Packets views and other displays: Use the color assigned to the source node. Use the color assigned to the destination node. Use the color assigned to the protocol. Use the color assigned to the filter that allowed the packet to be captured. Use the color assigned to flagged packets. Each item uses its own color. Use no color coding in Packets view and other displays. The following options control the icons that are displayed in the main window toolbar. Show/hide the File icons on the toolbar. Show/hide the View icons on the toolbar. Show/hide the Capture/Send icons on the toolbar. Show/hide the Monitor icons on the toolbar. Show/hide the Options/Help icons on the toolbar.
Color
Source Destination Protocol Filter Flag Independent No Color Toolbars
File View Capture/Send Monitor Options/Help
458 View menu
OmniPeek User Guide
Menu item Customize
Shortcut
Description Opens the Customize dialog for customizing Commands, Toolbar, Keyboard, Menu, and Options. Operates as a toggle setting. When enabled, displays status alerts and the current adapter in a bar at the bottom of the main program window.
Status Bar
Full Screen Application Look
F11
Displays main window as full screen. Press Esc to return to main window. Displays application user interface in the selected theme. Displays the Office 20007 theme. Displays the Office 20007 blue theme. Displays the Office 20007 black theme. Displays the Office 20007 silver theme. Displays the Office 20007 aqua theme. Displays the Office 2003 theme. Displays the Office XP theme. Displays the Visual Studio.NET 2005 theme. Displays the Windows XP theme. Displays the Windows 2000 theme.
Office 2007 Blue Style Black Style Silver Style Aqua Style Office 2003 Office XP Visual Studio.NET 2005 Windows XP Windows 2000
View menu
459
Capture menu
Menu item Start Capture Shortcut Ctrl + Y Description Opens the Capture Options dialog for a new capture. Toggles packet capture for an active capture window (Start Capture or Stop Capture). When the active window has a Start Trigger, displays as Start Trigger or Abort Trigger. Opens the Capture Options dialog for an existing capture window.
Capture Options
Send menu
Menu item Initiate Send Transmit One Send Selected Packets Set Send Packet Edit Send Packet Send Window Select Send Adapter Shortcut Ctrl + I Ctrl + T Description Starts sending packets using the parameters you set in the Send Window. Sends one copy of the designated Send Packet. Sends selected packets onto the network. Designates a Send Packet. Opens the designated Send Packet in a Decode window with edit capabilities. Opens the Send Window, where you can control transmissions from OmniPeek. Opens the Select Send Adapter dialog in which you can choose an adapter to use in performing Send functions.
460 Capture menu
OmniPeek User Guide
Monitor menu
Menu item Nodes Protocols Network Size Summary History Channel WLAN Monitor statistics Shortcut Ctrl + 1 Ctrl + 2 Ctrl + 3 Ctrl + 4 Ctrl + 5 Ctrl + 6 Ctrl + 7 Ctrl + 8 Description Opens the monitor Node Statistics window. Opens the monitor Protocol Statistics window. Opens the monitor Network Statistics window. Opens the monitor packet Size Statistics window. Opens the monitor Summary Statistics window. Opens the monitor History Statistics window. Opens the monitor Channel Statistics window. Opens the monitor WLAN Statistics window. Operates as a toggle setting. When enabled, collects all network statistics, independent of any capture window. This action clears all accumulated monitor statistics information and resets all values to zero. Opens the Monitor Options dialog, where you can configure settings for monitor statistics.
Reset Statistics Monitor Options
Tools menu
Menu item Split Packet File Decrypt WLAN Packets Shortcut Description Opens the Split Packet File dialog where you can split a large packet file into smaller packet files. Opens the Decrypt WLAN Packets dialog, where you can choose a key set to apply to encrypted packets in the current capture window. Opens the SSL Server Keys dialog, where you can choose a key set to apply to SSL encrypted packets in the current capture window.
Decrypt SSL Packets
Monitor menu
461
Menu item Convert WAN Trace Frame Relay and LMI IPARS (P1024B) PPP and LCP Q921/!931 UTS (P1024C) X.25 X.25 (mod 128) Options
Shortcut
Description Select one of the following for file conversion: Convert to Frame Relay or LMI. Convert to IPARS (P1024B). Convert to PPP or LCP. Convert to Q921/!931 Convert to UTS (P1024C). Convert to X.25. Convert to X.25 (mod 128). Opens the Options dialog, where you can specify default program behavior. From the Workspace view of this dialog you can also globally restore program defaults. Opens the Customize Tools Menu dialog from which you can add items to the Tools menu, allowing you to launch other programs from within OmniPeek.
Customize
Window menu
Menu item New Vertical Tab Group New Horizontal Tab Group Cascade Shortcut Description Adds the currently selected tab to a new vertical tab group in the main program window. Adds the currently selected tab to a new horizontal tab group in the main program window. Arranges all open windows one behind the other, with only the tops of those behind showing above the others. This menu item is only available when the Multiple documents Window layout is enabled from the Options Workspace dialog (Tools > Options).
462 Window menu
OmniPeek User Guide
Menu item Tile Vertically
Shortcut
Description Fills the screen with open windows, arranged sideby-side. This menu item is only available when the Multiple documents Window layout is enabled from the Options Workspace dialog (Tools > Options). Fills the screen with open windows, arranged one above the other. This menu item is only available when the Multiple documents Window layout is enabled from the Options Workspace dialog (Tools > Options). Lines up the icons of minimized open files.
Tile Horizontally
Arrange Icons Next Previous Close All Ctrl + Tab Ctrl + Shift + Tab
Makes the next window in sequence the active window. Makes the previous window in sequence the active window. Closes all open windows.
Help menu
Menu item Help Topics Keyboard Map Show Start Page Check for Updates Shortcut F1 Description Launches the Online Help. Opens the Help Keyboard dialog that displays the keyboard accelerator keys for OmniPeek. Opens the Start Page. Connects to the internet to determine if a newer version of OmniPeek is available. If a newer version is available, a dialog is then displayed that allows you to open a browser window for upgrade instructions. You can also configure version checking automatically whenever OmniPeek is launched from the Options Workspace dialog (Tools > Options).
Help menu
463
Menu item Readme
Shortcut
Description Opens the Readme file, containing information about the program which may have appeared since the publication of the current manual. Opens the OmniPeek Getting Started Guide. The following indented items will launch the default Internet browser and load the appropriate page from the WildPackets web site. Loads the latest product news about OmniPeek and related WildPackets products. Loads the technical support pages. Loads pages describing WildPackets extensive courses in OmniPeek and related network troubleshooting tools and techniques. Loads the WildPackets home page.
Getting Started Guide WildPackets on the Web
Product News Technical Support Training
WildPackets Home Page About OmniPeek
Displays the OmniPeek about box, including the last 10 characters of the serial number of your copy. Click the Support button in the About OmniPeek dialog to display key system and program information. You can also save this information to a text file.
Support
464 Help menu
APPENDIX Reference
In this appendix:
Packet list columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Expert view columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Web view columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Voice & Video view columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Voice & Video Visual Expert columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Nodes statistics columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 WLAN statistics columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Channel statistics columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 OmniEngine capture tab columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 OmniEngine files tab columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 OmniEngine details tab columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Starting OmniPeek from the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
465
Appendix B: Reference
Packet list columns

The available columns in the Packet List of the Packets view of a capture window are described below
Column Packet Source Description Displays a packet number as determined by the time-sequential order in which the packets were captured. Displays the source address. Depending upon the choice under Display Format in the View menu, this address may be a physical address, a higher-level, logical address such as IP or AppleTalk, or a symbolic name. Will appear italicized if Calculate implied transmitter is enabled in the Format tab of the Packet List Options dialog. Shows the logical address of the packets source. Unlike the default Source column, this columns display is unaffected by any choice you make in Display Format under the View menu. This allows you to show different formats for a packets source on a single line. Shows the physical address of the packets source. Unlike the default Source column, this columns display is unaffected by any choice you make in Display Format under the View menu. This allows you to show different formats for a packets source on a single line. Will appear italicized if Calculate implied transmitter is enabled in the Format tab of the Packet List Options dialog. Displays the source port or socket, if any, in the notation appropriate for that protocol. Displays the destination address. Depending upon the choice under Display Format in the View menu, this address may be a physical address, a higher-level, logical address such as IP or AppleTalk, or a symbolic name. Shows the logical address of the packets destination. Unlike the default Destination column, this columns display is unaffected by any choice you make in Display Format under the View menu. This allows you to show different formats for a packets destination on a single line. Shows the physical address of the packets destination. Unlike the default Destination column, this columns display is unaffected by any choice you make in Display Format under the View menu. This allows you to show different formats for a packets destination on a single line. Displays the destination port or socket, if any, in the notation appropriate for that protocol.
Source Logical
Source Physical
Source Port Destination
Destination Logical
Destination Physical
Destination Port
466 Packet list columns
OmniPeek User Guide
Column BSSID
Description Displays the ID number of the access point or base station to whose traffic this packet belongs.This six byte hexadecimal number is typically formed from the stations MAC address. Displays the physical address of the station identified in the packet header as the Transmitter, regardless of which address field may contain that information. A transmitter is typically the last hop on a relay through the DS (distribution system) and is distinguished from the original Source address. Will appear italicized if Calculate implied transmitter is enabled in the Format tab of the Packet List Options dialog. Displays the physical address of the station identified in the packet header as the Receiver, regardless of which address field may contain that information. A receiver is typically the first hop on a relay through the DS (distribution system) and is distinct from the ultimate Destination address. Displays the physical address found in the first address field of the 802.11 WLAN MAC header, without reference to its type: destination, receiver, or BSSID. Displays the physical address found in the second address field of the 802.11 WLAN MAC header, without reference to its type: source, BSSID or transmitter. Displays the physical address found in the third address field of the 802.11 WLAN MAC header, without reference to its type: source, destination, or BSSID. Displays the physical address found in the fourth address field of the 802.11 WLAN MAC header, without reference to its type. This address field is empty, except in packets relayed through the DS, in which it holds the source address. Displays the time reported by the GPS receiver for the fix associated with this packet. Displays the latitude portion of the GPS fix associated with the packet, reported (N, north or S, south) in degrees, minutes, and decimal fractions of a minute. Displays the longitude portion of the GPS fix associated with the packet, reported (E, east or W, west) in degrees, minutes, and decimal fractions of a minute. Displays the altitude portion of the GPS fix associated with the packet. Reported in the measurement system appropriate to the local settings associated with the user in the operating system. (US users in feet, all others in meters.) Displays the speed portion of the GPS fix associated with this packet. Reported in the measurement system appropriate to the local settings associated with the user in the operating system. (US and UK users in miles per hour, all others in kilometers per hour.)
Transmitter
Receiver
Address 1 Address 2 Address 3 Address 4
GPS Time Latitude Longitude Altitude
Speed
Packet list columns
467
Column VLAN Flags
Description Displays the VLAN tags present in the packet. Contains flag characters indicating that a packet matches some particular condition, such as an error condition or type of protocol data. The characters used for flags are assignable in the Flags tab of the Packet List Options dialog. When an 802.11 adapter is selected as the capture adapter, this column displays the wireless channel for 802.11 captures. When an OmniAdapter is selected as the capture adapter, this column displays the channel on which the packet was captured.
Channel
Frequency
The center frequency of the 802.11 WLAN channel on which the packet was captured. The 802.11 WLAN standard(s) governing the use of the channel on which the packet was captured. Displays the RSSI (Received Signal Strength Indicator) reported in the receipt of this packet, with RSSI normalized to a percentage value. Displays the received signal strength reported in the receipt of this packet, in dBm (decibel milliWatts). Displays the data rate at which the body of this packet was transmitted. Displays the noise detected on receipt of this packet, expressed as a percentage. Displays the noise detected on receipt of this packet, expressed in dBm (decibel milliWatts). Displays the 802.11 frame control flags. The flags and their codes are as follows: - Order (O) - Protected Frame (W) - More Data (D) - Power Management (P) - Retransmission (R) - More Fragments (M) - From DS (F) - To DS (T) Displays the length of the packet in bytes, including the packet header, FCS bytes, and any padding. Contains a graphic representation of the relative size of each packet, color-coded to indicate the relative size of basic protocol elements within the packet.
Band Signal Signal dBm Data Rate Noise Noise dBm 802.11 Flags
Size Size Bar
468 Packet list columns
OmniPeek User Guide
Column IP Length IP ID
Description Displays the total length of the IP datagram, in bytes. It includes the length of the IP header and data. Displays the IP ID (Identifier) of the packet. The IP ID uniquely identifies each IP datagram sent by a host. It normally increments by one each time a datagram is sent. Shows the date the packet was received. Displays the timestamp assigned to each packet as the actual time of capture, according to the system clock of the computer on which the program is running. Use the Format tab of the Packet List Options dialog to set the display units for all timestamps to milliseconds, microseconds, or nanoseconds. Shows the timestamp of each packet as the elapsed time since the capture of the previous visible packet. When packets are hidden, the time shown is relative only to the previous visible packet. Use the Format tab of the Packet List Options dialog to set the display units for all timestamps to milliseconds, microseconds, or nanoseconds. Displays the timestamp of each packet as the elapsed time since the start of the current session. You can set a particular packet as the zero time for all items in the Relative Time column. Packets captured before will show negative values, those after, positive values, all relative to the new zero time. To set a packet as the zero time by setting it as the Relative Packet, right-click the packets line and choose Set Relative Packet. Use the Format tab of the Packet List Options dialog to set the display units for all timestamps to milliseconds, microseconds, or nanoseconds. If no Relative Packet is set, this column shows the total bytes represented by all the visible packets from the first packet in the list to the current packet, inclusive. If you have set a Relative Packet, this column shows the total bytes from the Relative Packet to the current packet, inclusive. To set a packet as the Relative Packet, right-click the packets line and choose Set Relative Packet. Displays the protocol type of the packet. This may be shown as an LSAP value, a SNAP value, or a ProtoSpec. If you have established a symbolic name for a protocol otherwise unknown to ProtoSpecs, that name may be taken from the Name Table and displayed here. Displays the name of the filter that allowed the packet to be entered into the capture buffer. Lists any information provided about the packet by enabled Analysis Modules.
Date Absolute Time
Delta Time
Relative Time
Cumulative Bytes
Protocol
Filter Summary
Packet list columns
469
Column Analysis Module Name Note Expert
Description Displays the name of the Analysis Module that supplied the information on that packet that is displayed in the Summary column. Shows the full text of any user-entered note associated with the packet. Presents data collected about the packet by the Expert Analysis tools. Typically, this is a short description of the type of problem found in the packet or a description of the event, and may include a measurement (such as response time since another named packet) which caused this packet to be identified as an event. Displays a portion of the information present in the Decode view of the packet, when that information matches the most recently highlighted part of any decode of any packet in the capture window. It shows the same part of the decode for every packet that contains the selected type of information.
Decode
Expert view columns

The following sections describe the column headings available in the Expert views. Note For descriptions of columns available in the Expert VoIP Media view, see Voice & Video view columns on page 478.
Expert clients/servers, flows, and application view columns

The following table describes the columns available in the Expert Clients/Servers, Flows, and Applications views.
Column Client Addr Client Port Server Addr Server Port Description The address of the Client for the current flow. The port on which the Client or Client Addr was communicating in the current flow. The address of the Server or Server Addr for the current flow. The port on which the Server or Server Addr was communicating in the current flow.
470 Expert view columns
OmniPeek User Guide
Column Flow ID Flows Events Protocol Apdex
Description A sequence number assigned to each unique flow identified by the Expert. For a pair of nodes, shows the number of flows detected. (Hierarchical view only) Total number of events identified by the Expert EventFinder. The protocol under which the packets in this flow were exchanged. The Apdex score for this row. After at least 10 samples, an Apdex score of 0.00 (Unacceptable) to 1.00 (Excellent) appears. See Calculating the Apdex score on page 68 for details. The number of Apdex tasks that have completed for this row. (Application view only) Number of router hops between the server and the capture adapter. The number of packets in the selected exchange. Note that packet totals are rolled up, such that higher levels of aggregations show totals for all sub-elements. The total number of packets sent from the Client or Client Addr in the current flow. The total number of packets sent from the Server or Server Addr in the current flow. The total bytes represented by the packets which were a part of the selected flow. The total bytes sent from the Client or Client Addr in the current flow. The total bytes sent from the Server or Server Addr in the current flow. The timestamp of the first packet in the current flow. The timestamp of the final packet in the current flow. The elapsed time, from the first to the last packet of the selected exchange, represented in the form Hours:Minutes:Seconds.decimal seconds. The precision is set in the Expert view options dialog. The number of 802.11 retry packets, as a percentage of all packets for this row.
Apdex Sample Count Hops Packets
Client Pkts Server Pkts Bytes Client Bytes Server Bytes Start Finish Duration
% Wireless Retries
Expert clients/servers, flows, and application view columns
471
Column Response Time Turn Count Best Response Time Avg Response Time Worst Response Time C->S bps Turn Count C->S bps Best C->S bps
Description The number of pairs of packets used to calculate the value for average response time. The lowest observed response time in the current flow or stream. For exchanges in which this parameter is relevant, shows the arithmetic average of all client/server response times or of latencies for the selected pair of nodes. The longest observed response time in the current flow. The number of packets sent from Client Addr to Server Addr, forming the basis for the throughput calculations for the current flow or conversation in this direction. The largest observed throughput from Client Addr to Server Addr in the current flow. The calculated simple average throughput (total throughput divided by total packets) for the traffic from Client Addr to Server Addr observed in the current flow. The smallest observed throughput from Client Addr to Server Addr in the current flow. The number of packets sent from Server Addr to Client Addr, forming the basis for the throughput calculations for the current flow in this direction. The largest observed throughput from Server Addr to Client Addr in the current flow. The calculated simple average throughput (total throughput divided by total packets) for the traffic from Server Addr to Client Addr observed in the current flow. The smallest observed throughput from Server Addr to Client Addr in the current flow. For exchanges that represent TCP transactions, notes whether the session is Open or Closed.
C->S bps Worst S->C bps Turn Count S->C bps Best S->C bps
S->C bps Worst TCP Status
OmniPeek User Guide
Expert event log columns

The following table describes the columns in the Event Log tab of the Expert.
Column Severity Icon Date/Time Layer Event Source Addr Description The severity of the event, as set in the Expert EventFinder Settings window. The date and time this event occurred. The network layer to which events of this type belong. The EventFinder definition which identified this packet as an event. The description may be modified to show additional information. The source address for this packet. The node is identified by its logical address or by the symbolic name for that address if one exists in the Name Table. The destination address for this packet. The node is identified by its logical address or by the symbolic name for that address if one exists in the Name Table. The source port for this packet. If the port is a well known port, the protocol or application name will be shown instead of the port number. The destination port for this packet. If the port is a well known port, the protocol or application name will be shown instead of the port number. The packet number, as assigned in the Packets view of the capture window or capture file. The ID (or call number, or flow index) of the flow (or call) to which the event pertains. Unique ID assigned to this individual HTTP request. Internally generated call ID. First captured call is call 1, second is call 2, and so on. Note: Do not confuse this with the phone number string that often appears in the gateway-assigned Call ID column. Internally generated index for a single flow within a call. The first flow is index 1, second is 2, and so on. Signaling and control flows also consume index numbers, so it is rare that a call's media flows will occupy indices 1 and 2.
Dest Addr
Source Port Dest Port Packet Flow ID Request ID Call Number
Flow Index
Expert event log columns
473
Expert node details tab rows and columns

The following table describes the rows and columns in the Details tab of the Expert.
Column Name Description The name (or address) of each node. The node is identified by its logical address or by the symbolic name for that address if one exists in the Name table. The logical address, in a format appropriate to the protocol of the conversation. The total number of packets sent by this node as a part of this conversation. The total number of bytes sent by this node as a part of this conversation. The average size of the packets sent by this node as a part of this conversation, in bytes. The date and time of capture (to the nearest second) of the first packet for this node in the current conversation. The date and time of capture (to the nearest second) of the last packet for this node in the current conversation. The number of intervening router hops between the node and the capture adapter. The minimum size of the TCP window during the course of this conversation. The maximum size of the TCP window during the course of this conversation. Shows measures of response time and throughput. Shows throughput for client to server. Shows throughput for server to client. OSI layer of detected Expert Event for the selected flow.
Network Address Packets Sent Bytes Sent Average Size (Bytes) First Packet Time Last Packet Time Routed Hops TCP Min Window TCP Max Window Best, Worst, Average, and Turn C-> S (units) S-> C (units) Layer
OmniPeek User Guide
Column Event Count
Description Name of Expert Event (see Expert EventFinder on page 189). Number of instances of this event for the selected node pair.
Visual Expert PacketVisualizer tab columns

The following table describes the columns available in the PacketVisualizer tab of the Visual Expert.
Column Packet Cumulative Bytes (Client) Cumulative Bytes (Server) Cumulative Bytes (Both) Absolute Time Relative Time Delta Time Size PacketVisualizer Description Packet number. Running byte count of all bytes from the client. Running byte count of all bytes from the server. Running byte count of all bytes, total. Packet Time. Packet Time, relative to first packet in this flow. Packet Time, relative to previous packet. Packet's byte count. Graphic display of size and direction of the packet. Client arrows point right; server arrows point left. This column can also display tick marks between packets. The packet number of the first packet that ACKs this packet. The packet number of the last packet that this packet ACKs. A display of IP and TCP data for this packet. Similar to the Summary column in the Packets view, with unique spacing of client and server information. If there is an expert event for this packet, this column displays that event's message. Right-click to open Expert EventFinder dialog.
Acked By Ack For Summary
Expert
Visual Expert PacketVisualizer tab columns
475
Visual Expert TCP Trace graph flags

The following table describes each of the flags in the TCP Trace graph of the Visual Expert.
Client Server yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes FIN SYN U RST_IN RST_OUT R O Z P ! HD S Flag Description TCP PUSH flag set (appear as a diamond, rather than an arrowhead, and do not have a text label) TCP FIN flag set (shows a square, rather than an arrowhead) TCP SYN flag set (shows a diamond, rather than an arrowhead) TCP Urgent flag set TCP RST flag set in ACK packet from client TCP RST flag set in packet from server Retransmitted data (at least one byte of SEQ overlaps) Out of sequence data ACK packet with a zero window Zero window probe The Expert identified an event for this packet Hardware Duplicate (also called IP Local Routing) Selective ACK (also shows a purple line, spanning the acknowledged sequence numbers)
Web view columns

The following table describes the columns common to all of the Web views of a capture window.
Column Name Timing Description Name of the server, client, page, or individual HTTP request. Graphical timeline of this individual HTTP request.
476 Web view columns
OmniPeek User Guide
Column Request ID Page ID
Description Unique ID assigned to this individual HTTP request. Unique ID assigned to an HTML page. All the images, stylesheets, and other embedded files that make up a single HTML page will have this same Page ID. When Page ID == Request ID, that's the HTML page's request. Flow ID assigned to this client/server TCP connection. Same as the Flow ID that appears throughout Expert views. Who sent this HTTP request? TCP port from which this HTTP request came. Who sent this HTTP response? TCP port from which this HTTP response came. Usually port 80. What file or page on the server the HTTP request wants. Can be outrageously long for some cgi, ad server, and database-driven requests. Numeric HTTP response code, such as 200 for success, or 404 for page not found. Textual explanation of HTTP response code, such as OK or Page not found. Value of the Content-Type HTTP response header. text/html for HTML pages, image/jpeg for jpegs. Value of the Referer HTTP request header. URL of page that linked to this individual HTTP request. For embedded images, stylesheets, and so on, this is usually the containing HTML page. For HTML pages, this is the page that linked to this page. Value of the Host HTTP request header. Can differ from actual Server IP address when accessing a web server farm. (Not shown in screenshot above.) Total number of packets. Request packets from client Response packets from server Total number of bytes
Flow ID Client Addr Client Port Server Addr Server Port URI
Response Code Response Text Content-Type Referer
Host
Packets Client Pkts Server Pkts Bytes
Web view columns
477
Column Client Bytes Server Bytes Request Data Bytes Response Data Bytes
Description Request bytes from client Response bytes from server Payload bytes from client (typically 0 unless there is some POST data). Client Bytes minus all the HTTP request header bytes. Payload bytes from server, often the size of the actual file transferred (unless transfer-encoding adds to or compresses the payload). Server Bytes minus HTTP response header bytes. Time of first packet, either the SYN if this is the first request on a flow, or the first packet of the HTTP GET or other HTTP request. Time of last packet, either the last FIN if this is the last request on a flow, or the last packet of the HTTP response. The difference between Finish and Start times.
Start Finish Duration

The following table describes the columns available in the Voice & Video Calls and Media views of a capture window. Some columns are specific to either the Calls or Media view. For a list of additional columns available in the Voice & Video Visual Expert, see Voice & Video Visual Expert columns on page 482.
Column Call Number Description Internally generated call ID. First captured call is call 1, second is call 2, and so on. Note: Do not confuse this with the phone number string that often appears in the gateway-assigned Call ID column. Internally generated index for a single flow within a call. The first flow is index 1, second is 2, and so on. Signaling and control flows also consume index numbers, so it is rare that a call's media flows will occupy indices 1 and 2. Synchronization Source: a unique 32-bit hexadecimal value that identifies a single media flow within a node. Internally generated string identifying a call: from--> to or a media flow: RTP src:port--> dest:port
Flow Index
SSRC Name
478 Voice & Video view columns
OmniPeek User Guide
Column Flow ID
Description PeekFlow-assigned ID of this single signaling, media, or media control flow. Corresponds to Flow ID values in Expert and Web views. Most flows contain two media flows, one for each direction. Caller-assigned phone number of the node initiating the call. Callee-assigned phone number of the node receiving the call. Gateway-assigned call identifier string, usually some sort of globallyunique identifier. Status of call is either Opened or Closed. Most recent call termination signaling like BYE or 480 not available. Specific signaling protocol for this row. Protospec name of this row. See also Signaling and Codec columns. Codec used for media. Codec-defined bit rate for this media flow, such as 64,000 bps for a 64kbps G.711 media flow. This is a fixed rate defined by the codec, not the actual measured throughput that expert views calculate. Type of media flow: voice, audio, or video. IP address or name table entry of node initiating the call. UDP port for the node initiating the call, usually applies only to individual flow rows such as media flow rows. IP address or name table entry of node receiving the call. UDP port for the node receiving the call, usually applies only to individual flow rows such as media flow rows. IP address of the first gatekeeper or proxy contacted by the caller UDP port of the first gatekeeper or proxy contacted by the caller The source address for this media flow. UDP port of node sending this media flow. The destination address for this media flow. The destination port for this media flow.
From To Call ID Call Status End Cause Signaling Protocol Codec Bit Rate
Media Type Caller Address Caller Port Callee Address Callee Port Gatekeeper Address Gatekeeper Port Source Addr Source Port Dest Addr Dest Port
479
Column Media Flows Media Packets Media Frames Control Flows Control Packets Signaling Flows Signaling Packets Packets Setup Time PDD One-Way Delay Start Finish Duration MOS-LOW
Description Number of separate media flows within this call. Often two per call. Number of packets in media flow. Number of audio or video frames or samples within media flow. Number of media control flows. Number of media control packets. Number of signaling flows. Number of signaling packets. Total number of packets in the call, including all media, signaling, and control flows. Time between first signaling packet and the last signaling packet before media packets start flowing. Post Dial Delay: Time between last signaling packet and first media packet. One half of the average round-trip delay for this call or flow. Time of first packet in this call or media flow. Time of last or most recent packet in this call or media flow. The difference between Finish and Start times. Because MOS scores are based on media flows, not calls, each call's quality shall be considered to be the lowest MOS score (MOS-LOW) of any of it's associated media flows. Voice media shall be scored with MOS-CQ, video media with MOS-V, and audio media with MOS-A. Jitter in milliseconds. Expected but never received packets as a percentage of expected packets. MOS score calculated under the assumption that this is a one-way listen only media flow MOS score calculated under the assumption that this is an interactive conversation media flow
Jitter Packet Loss % MOS-LQ MOS-CQ
480 Voice & Video view columns
OmniPeek User Guide
Column MOS-PQ MOS-Nom MOS-A MOS-AV MOS-V R Factor Listening R Factor Conversational R Factor G.107 R Factor Nominal VS-AQ VS-MQ VS-PQ VS-TQ
Description MOS score calculated using a model that permits apples-to-apples comparisons with other MOS-PQ measurements Theoretical maximum possible MOS score given the codec and bit rate. The audio quality MOS score calculated for the audio stream. Range [0.00-5.00]. Only for audio flows. See VS-AQ. The multimedia quality MOS score calculated for the video stream. Range [0.00-5.00]. Only for video flows. See VS-MQ. The picture quality MOS score calculated for the video stream. Range [0.00-5.00]. Only for video flows. See VS-PQ. R-Factor calculated under the assumption that this is a one-way listen only media flow R-Factor calculated under the assumption that this is an interactive conversation media flow R-Factor calculated using an ITU G.107 model that permits apples-toapples comparisons with other G.107 measurements Theoretical maximum possible MOS score given the codec and bit rate. The VQmon Video Service Audio Quality calculated for the audio stream. Range [0-50]. Only for audio flows. See MOS-AV. The VQmon video service multimedia quality. Range [0-50]. Only for video flows. See MOS-AV. The VQmon video service picture quality. Range [0-50]. Only for video flows. See MOS-V. The VQmon video service transmission quality. Range [0-50]. Only for video flows. No corresponding MOS score.
481
Voice & Video Visual Expert columns

In addition to many of the columns available in the Voice & Video views, (see Voice & Video view columns on page 478), the following table describes columns also available in the Voice & Video Visual Expert.
Column Packet Message Description Packet number. For RTP/RTCP rows, this is the first packet in that row. There is one set of messages per signaling flow. If a call has multiple signaling flows (i.e. H.225/Q.931, and H.245), there will be multiple sets of messages. Each new message in the signaling flow increments the message index. You can use the Message index and the Flow Index together to get an understanding of the sequence of events on multiple signaling channels for a single call. Time Relative Time Finish Duration Bounce Diagram Response Code Response Text Sequence Sequence Method Media Packets Packet time. Time relative to the first row in the Voice & Video Visual Expert. Time of last packet in the RTP/RTCP row. Finish - Time The visual part of Voice & Video Visual Expert. Response code number, such as 100 or 200 for SIP responses Trying or OK. Response message, such as SIP responses Trying or OK. Signaling sequence number Signaling sequence method Number of RTP packets in this RTP/RTCP row.
482 Voice & Video Visual Expert columns
OmniPeek User Guide
Column Control Packets
Description Number of RTCP packets in this RTP/RTCP row. Values for last RTP packet in this RTP/RTCP row: Jitter MOS-LQ MOS-CQ MOS-PQ MOS-Nom MOS-A MOS-AV MOS-V R Factor Listening R Factor Conversational R Factor G.107 R Factor Nominal VS-AQ VS-MQ VS-PQ VS-TQ
RTP/RTCP
Nodes statistics columns

The following table describes the columns common to all of the flat views in the Nodes view of a capture window and in the Nodes Statistics window of OmniPeek monitor statistics.
Column Node Utilization % Description The address or name of the node, in the format appropriate to the view type. The amount of bandwidth used by this node expressed as a percentage of the total possible bandwidth of the adapter from which you are capturing. It is an average over the duration of the capture. Percentage of total bytes sent and received by this node. Percentage of total packets sent and received by this node. Total bytes sent and received by this node. Total packets sent and received by this node.
Total Bytes % Total Packets % Total Bytes Total Packets
Nodes statistics columns
483
Column Bytes Sent Bytes Received Packets Sent Packets Received Broadcast Packets Broadcast Bytes Multicast Packets Multicast Bytes Broadcast/Multicast Packets Broadcast/Multicast Bytes Min. Size Sent Max. Size Sent Avg. Size Sent Min. Size Received Max. Size Received Avg. Size Received First Time Sent Last Time Sent First Time Received Last Time Received Duration Peers
Description Total bytes sent by this node. Total bytes received by (or addressed to) this node. Total packets sent by this node. Total packets received by (or addressed to) this node. Total broadcast packets sent by this node. Total broadcast bytes sent by this node. Total multicast packets sent by this node. Total broadcast and multicast packets sent by this node. Total broadcast and multicast packets sent by this node. Total broadcast and multicast packets sent by this node. The size of the smallest packet sent by this node. The size of the largest packet sent by this node. The average size of the packets sent by this node. The size of the smallest packet received by this node. The size of the largest packet received by this node. The average size of the packets received by this node. Time stamp of the first packet sent by this node. Time stamp of the most recent packet sent by this node. Time stamp of the first packet received by this node. Time stamp of the most recent packet received by this node. The difference between the time stamp of the earliest sent or received packet and that of the most recent sent or received packet. The number of nodes that are communicating with this node.
484 Nodes statistics columns
OmniPeek User Guide
Column Packets/Peers Bytes/Peers
Description The average number of packets for all of the nodes that are communicating with this node. The average number of Bytes for all of the nodes that are communicating with this node.
WLAN statistics columns

The following table describes all of the columns available in the WLAN view of capture windows and in the WLAN Statistics window of OmniPeek monitor statistics. Data rates are dependent on physical layer implementations, and different data rate columns are available, depending on the standards supported by the selected adapter. In 802.11 WLANs, every packet begins with a preamble and PLCP header sent at the lowest common data rate. The body of the packet can then be sent at any of the supported data rates. It is the data rate at which the body of the packet is sent that is reported in data rate columns.
Column Node ESSID Description The Node column in the WLAN view displays detected nodes in a nested hierarchy of stations (STA) under BSSIDs, under ESSIDs. The ESSID for this node. When ESSIDs are in use, access points (or equivalents) will announce their ESSID in Beacon packets and/or Probe Response packets. The type of node. This is either the identifying string of an extended service set (ESSID), an access point (AP), an ordinary station temporarily acting as the base station for an ad hoc group (Ad Hoc), or a Station (STA). Broadcast and multicast destination addresses which cannot be identified as belonging to a particular node are identified by the Admin label. Unknown node types will show a blank in this field. The channel on which OmniPeek was listening when the most recent packet for this node was captured. During a channel scan, this value may appear anomalous, as the same node may be detected on multiple channels but only the most recent will show in this column.
Type
Channel
Important: The channel shown for Nodes identified as an access point (AP)
will be the channel on which that AP is broadcasting, as identified in the APs Beacon packets and Probe Responses.
485
Column Frequency Band Association Strength
Description The frequency in MHz of the traffic captured on a specific channel. The identifying band of the traffic captured on a specific channel such as a/b/ g/n. The WLAN view ranges each STA under the AP (or equivalent) with which it most recently communicated. The Association Strength parameter allows you to distinguish between nodes that are simply probing (searching for an AP with which to associate) and those that are truly associated (those that have completed the association process with a particular AP). Nodes that are truly associated with their AP show an Association Strength of Strong. Those that are not associated, but have merely communicated (typically with a probe packet) show an Association Strength of Weak. Shows the most recently seen form of authentication used by this node to connect with its BSSID. Example values include EAPTLS, LEAP, and PEAP. Note that OmniPeek does not monitor the authentication state of all nodes, but only registers the most recent authentication. Also, some authentication methods are encrypted in a way that prevents identification of the authentication method. Shows the most recently seen form of encryption used by this node to communicate with its BSSID. Example values include CKIP, TKIP, WEP and CCMP. Note that OmniPeek does not monitor the encryption state of all connections, but only registers the most recent method seen from each node. Shows the user-assigned trust setting from the Name Table for this BSSID or STA. Right-click any node to change this property. See Trusted, known, and unknown nodes on page 367. Columns showing statistics related to signal strength reported with each packet, expressed either as a percentage or in decibel milliWatts (dBm). Cur. = Most recently reported signal strength on the channel. Min. = Minimum signal strength reported on this channel from the time the statistics count was created until the most recent update. Max. = Maximum signal strength reported on this channel from the time the statistics count was created until the most recent update.
Authentication
Encryption
Trust
Signal Strength columns
486 WLAN statistics columns
OmniPeek User Guide
Column Noise columns
Description Columns showing statistics related to noise reported with each packet, expressed either as a percentage or in decibel milliWatts (dBm). Cur. = Most recently reported noise reading on the channel. Min. = Minimum noise reading reported on this channel from the time the statistics count was created until the most recent update. Max. = Maximum noise reading reported on this channel from the time the statistics count was created until the most recent update.
Bytes Sent Bytes Received Total Bytes Packets Sent Packets Received Total Packets Retry Packets Protected Packets WEP ICV Errors WEP Key Beacon Packets Broadcast ESSID Power Save
Bytes sent by this node. Bytes received by this node. Total bytes, both sent and received, for this node. Packets sent by this node. Packets received by this node. Total packets, both sent and received, for this node. Retry packets sent by this node. Number of encrypted packets sent by this node (Protected Frame bit set to 1). Number of WEP ICV errors encountered in attempting to apply WEP keys to packets from this node. Name of the user-defined WEP key currently in use to decrypt traffic from this node. Number of beacon packets sent by this node. Number of broadcast ESSID packets sent by this node. The power save state most recently reported by this node. Values are awake or sleep.
487
Column Roam Time
Description For STAs moving between APs, shows the time between last successful data transmission (for example, with previous AP) and successful association with new AP. For APs, shows average value for associated STAs entering the BSS during the capture session. Columns show the number of Packets (or Bytes) sent at the data rate named in the column header. You can show columns for any and all data rates supported by the current adapter. Total broadcast packets sent by this node. Total broadcast bytes sent by this node. Total multicast packets sent by this node. Total multicast bytes sent by this node. The size of the smallest packet sent by this node. The size of the largest packet sent by this node. The average size of the packets sent by this node. The size of the smallest packet received by this node. The size of the largest packet received by this node. The average size of the packets received by this node. Time stamp of the first packet sent by this node. Time stamp of the most recent packet sent by this node. Time stamp of the first packet received by this node. Time stamp of the most recent packet received by this node.
Data Rate columns Broadcast Packets Broadcast Bytes Multicast Packets Multicast Bytes Min. Size Sent Max. Size Sent Avg. Size Sent Min. Size Received Max. Size Received Avg. Size Received First Time Sent Last Time Sent First Time Received Last Time Received
488 WLAN statistics columns
OmniPeek User Guide
Column Duration Privacy
Description The difference between the time stamp of the earliest sent or received packet and that of the most recent sent or received packet. Shows True or False, and indicates whether the Privacy bit in the capabilities sections of Management packets (Beacon, Probe, and so forth) recently sent by this node was set to 1 (True) or 0 (False). This tells potential peers that the sending node will use encryption (True) or will not (False).
Channel statistics columns

The following table describes all of the columns available in the Channels view of capture windows and in the Channels tab of the Channel Statistics window of OmniPeek monitor statistics.
Column Channel Frequency Description The number of the channel, indicating its center frequency. Shows frequency of channel in MHz (for example, 5180MHz for Channel 36). Shows wireless band of channel (for example, 802.11a, 802.11b, and 802.11n). Number of access points seen on the channel. Total of all traffic on the channel. Data packets. Management packets. Control packets. Local traffic, not associated with any Distribution System (DS). Includes Station to Station plus management and control packets. The TO DS and FROM DS bits are both set to 0. The number of packets on that channel which were marked as From DS, meaning they were tagged as being directed toward a Distribution System. This generally means packets from an access point to a client.
Band APs Total Data Mgmt Ctrl Local
From DS
Channel statistics columns
489
Column To DS
Description The number of packets on that channel which were marked as To DS, meaning they were tagged as being directed toward a Distribution System. This generally means packets from a client to an access point. The number of packets on that channel which were marked as both To DS and From DS, meaning they were tagged as being from one Distribution System to another. This generally means packets from one access point to another access point. Packets in which the Retry bit is set to 1, indicating the packet is a retransmission. Packets in which the Protected Frame bit is set to 1, indicating the packet payload is encrypted. Packets in which the Order bit is set to 1, requesting the contents be handled in strict order. Packets with CRC errors. The CRC is a checksum performed over the whole packet. CRC errors indicate the packet was truncated or garbled in transmission. This is common in cases of channel overlap and interference. Packets containing WEP ICV Errors. The ICV is a checksum performed over the data portion of a WEP-encrypted packet. On an otherwise properly formed packet, a WEP ICV failure often means the WEP keys used to decrypt the packet are not the right ones. Packets with CRC errors will commonly show as also having WEP ICV errors. Columns showing statistics related to signal strength reported with each packet, expressed either as a percentage or in decibel milliWatts (dBm). Min. = Minimum signal strength reported on this channel from the time the statistics count was created until the most recent update. Max. = Maximum signal strength reported on this channel from the time the statistics count was created until the most recent update. Cur. = Most recently reported signal strength on the channel. Avg. = Average signal strength over the period of statistics collection on this channel. Calculated as the simple average of all reported signal strengths seen, regardless of duration.
DS-DS
Retry Protected Order CRC Errors
WEP ICV
Signal Strength columns
490 Channel statistics columns
OmniPeek User Guide
Column Noise columns
Description Columns showing statistics related to noise reported with each packet, expressed either as a percentage or in decibel milliWatts (dBm). Min. = Minimum noise reading reported on this channel from the time the statistics count was created until the most recent update. Max. = Maximum noise reading reported on this channel from the time the statistics count was created until the most recent update. Cur. = Most recently reported noise reading on the channel. Avg. = Average noise reading over the period of statistics collection on this channel. Calculated as the simple average of all reported noise readings seen, regardless of duration.
Created Updated Data Rate columns
Date and time at which this channel was first scanned for a signal, in the current session. Date and time of the most recent scan of this channel, in the current session. A variety of columns showing the number of packets/bytes in which the data portion of the packet was transmitted at the specified data rate.
OmniEngine capture tab columns

The following table lists the columns and their descriptions available from the Captures tab of an OmniEngine window.
Column Capture Status Adapter Link Speed Media Buffer size Packets Received Description Name of the capture window. For example, Capturing or Idle. Adapter used by OmniEngine. Reported automatically by the adapter in Mbits per second For example, Ethernet. Total size of capture buffer set for current capture. Total packets presented on the adapter used by this capture window.
OmniEngine capture tab columns
491
Column Packets Filtered Packets Dropped Start Time Stop Time Duration Alarms
Description Total packets accepted into the buffer. Total packets dropped from the buffer. Time at which capture was begun. Time at which capture was stopped. Elapsed time since start of current capture. Shows a separate icon (indicating severity of notification) for each alarm enabled in the capture window that is indicating a Suspect Condition or Problem Condition. Username of the person who created the capture window. Username from the login of the person that most recently made any change to the capture window. Most recent action (for example, Start Capture).
Owner Modified by Action
OmniEngine files tab columns

The following table lists the columns and their descriptions available from the Files tab of an OmniEngine window.
Column Name Description Name of the file saved to the Data Folder on the OmniEngine. See Configuring and updating OmniEngine settings on page 24. The location of the saved file. Name entered in the General view of the remote capture Options dialog. Size of capture. Media type of capture. When capture is stopped, displays number of capture packets. Time when remote capture began.
Path Capture Size Media Packets Start Time
492 OmniEngine files tab columns
OmniPeek User Guide
Column Stop Time Duration Time Zone Adapter Adapter Address Link Speed File Number
Description Time when remote capture was stopped. Total length of remote capture. Time Zone in which capture took place. Adapter selected for this capture. MAC address of computer on which selected adapter resides. The speed as reported by the adapter in Mbits/second. The number of the file in a capture-to-disk session
OmniEngine details tab columns

The following table lists the columns and their descriptions available from the nested Details tab of an OmniEngine window Forensics tab.
Column Capture Session Start Time Data Start Time Data End Time Duration Size Packets Packets Dropped Media Adapter Adapter Address Link Speed Description Name entered in the General view of the Capture Options dialog. Start time of capture session. Start time of available data in the capture session. End time of available data in the capture session. Length of time of available data in the capture session. Size of available data in the capture session. Number of captured packets in the capture session. Number of dropped packets in the capture session. Media type of capture. Adapter for the capture session. MAC address of the adapter for the capture session. The speed as reported by the adapter in Mbits/second.
OmniEngine details tab columns
493
Column Owner Columns Show All Columns
Description Name of user that created the capture. Allows you to enable/disable specific columns in the Details tab. Displays all columns in the Details tab.
Starting OmniPeek from the command line

You can start OmniPeek from the command line using the following syntax:
OmniPeek.exe [/autoload |/autostart ] [template1] [templateN]
The /autoload switch loads the specified Capture Template (*.ctf) file(s). The /autostart switch loads the specified template(s) and begins capture. Multiple templates may be listed, separated by a space. You can use the * (asterisk) character or the ? (question mark) character as wildcards in specifying template names, following standard Windows wildcard usage. In a typical default installation of OmniPeek, the command line would be started from:
C:\Program Files\WildPackets\OmniPeek
To automatically load template file capture1.ctf, for example, the command would be:
omnipeek /autoload [template file location]\capture1.ctf
You can also open OmniPeek from the command line specifying an AutoCapture (*.wac) file as its object. See Chapter 20, Using AutoCapture.
494 Starting OmniPeek from the command line
APPENDIX OmniPeek Installed Components

In this appendix:
Component descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
495
Appendix C: OmniPeek Installed Components
Component descriptions
The default location for OmniPeek installed components is typically C:\Program Files\WildPackets\OmniPeek. The following table lists and describes each component:
Component Alarms Description The 1033/Alarms directory contains two sets of predefined alarms (default alarms.alm and additional alarms.alm) which you can import into the Alarms window. You can also modify the alarms in these files. See Chapter 15, Setting Alarms and Triggers. The 1033/Capture Template directory contains the capture templates created in OmniPeek. The 1033/Copyrights directory contains text files of certain licenses used in OmniPeek. The 1033/Dashboard directory contains settings for the dashboards. The 1033/Documents directory contains PDF versions of the User Guide, Getting Started Guides for all Omni software. The 1033/Expert directory contains the html files used by the Expert EventFinder. See Chapter 8, Expert Analysis. The 1033/Filters directory contains the files default.flt and default hardware filters.flt, which are the default selection of filters for use with the program. You can create, modify, or delete individual filters, and save and reload various assortments of filters in named *.flt files for use in different packet capture scenarios. The 1033/Graphs directory contains the default set of graphs for the Graphs view of capture windows and capture file windows in files called default graphs.gph. and default remotegraphview.xml. The 1033/Html directory contains the html version of the OmniPeek Getting Start Guide. The 1033/Names directory contains configuration files for Name Table entries you might want to install. The default.nam file provides a starting configuration for the Name Table, and includes a current list of the Vendor ID portion of MAC addresses. This allows you to substitute the name of the card manufacturer for the first three bytes of any physical address.
Capture Template Copyrights Dashboard Documents Expert Filters
Graphs
Html Names
496 Component descriptions
OmniPeek User Guide
Component Analysis modules
Description The 1033/PluginRes directory contains files used by Analysis Modules that enhance the programs analyzing capabilities. For a complete description of the Analysis Modules available with the program, see Appendix D, Analysis Modules. The 1033/Reports directory contains XML, XSL, and HTML templates, along with related support files, for use with the Save Report functions and with options available in the Statistics Output views of the Capture Options and Monitor Options dialogs. See Generating statistics output reports on page 302 for more details. The Bin directory contains helpful utilities, such as the two command line utilities included with OmniPeek. PeekCat concatenates smaller capture files into a larger one. PeekSplit creates smaller capture files out of a larger one. The Compass directory contains the Compass dashboard Flash UI and support files. The Decodes directory contains the modules used to decode packets. These modules provide OmniPeek with the instructions it needs to display packet contents, based on the types of protocols used. The Drivers directory contains the OmniPeek drivers for supported adapters and operating systems, along with their installation instructions. The MIBs directory contains the MIB file that supports the SNMP Trap action in notifications. For an overview of the notifications functions in OmniPeek, see Chapter 16, Sending Notifications. The Plugins directory contains the DLL files for the Analysis Modules. The Samples directory contains a variety of sample capture files and an associated name table file. You can use these files for testing, training, and to familiarize yourself with program functions. See the Readme file in that directory for more details.
Reports
Utilities
Compass Packet decoders Drivers MIBs
Plugins Samples
Component descriptions
497
Appendix C: OmniPeek Installed Components
Component Application Data
Description Application data, such as names, filters, log files, and so forth, is cached in the Application Data folder. The default location of the Application Data folder is in a directory in the root drive where the operating system is installed (typically C:\) with the path name: Documents and Settings\(user name)\Application Data. OmniPeek creates a subdirectory structure within these locations to cache application data. That subdirectory structure is: WildPackets\OmniPeek. For example, the application data for the Administrator of a Windows XP system would be cached in: C:\Documents and Settings\Administrator\Application Data\WildPackets\OmniPeek.
GPS
The WildPackets GPS Daemon is the interface between itself and your GPS receiver and is typically installed by default at C:\Program Files\Common Files\Wildpackets\GPS\gpsdaemon.exe.
498 Component descriptions
APPENDIX Analysis Modules

In this appendix:
Analysis Module Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
499
Appendix D: Analysis Modules
Analysis Module Descriptions

This appendix describes each of the Analysis Modules options found in the Options dialog. You can view the Options dialog by choosing Tools > Options, or by clicking List installed plug-ins from the Start Page.
802.11 Analysis
The 802.11 analysis module displays and logs the values found in the one-bit frame control fields of the 802.11 WLAN MAC headers. To open the 802.11 Analysis Module Options dialog: 1. Choose Tools > Options > Analysis Modules. 2. Select 802.11 Analysis Module and click the Options button. The 802.11 Analysis Module Options dialog appears.
3. Select Display frame control flags to have flags displayed in the Summary column of the Packets view of capture windows. 4. Assign (or accept defaults for) the character OmniPeek will use for each of the frame control flags monitored by the analysis module.
To change the character, type a new value beside the flag. Indicate null values for any of the frame control flags by entering the character in the Flag not present text box.
5. Click OK to accept your changes.
500 Analysis Module Descriptions
OmniPeek User Guide
AppleTalk Analysis
The AppleTalk analysis module keeps track of and displays information about AppleTalk Address Resolution Protocol (AARP) requests, AARP responses, AARP probes, unanswered AARP requests, and the number of AppleTalk multicasts on your network. In addition, the AppleTalk analysis module shows details for NBP, ATP, and ASP. The results of the AppleTalk analysis module are displayed in the Summary column of the Packets view of any capture window, and its counts are also used as some of the key baseline traffic elements provided in Summary Statistics.
Aggregator Adapter
The Aggregator Adapter, which appears in the Analysis Modules view of the Options dialog in OmniPeek, lets you capture and analyze traffic from multiple sources. For wired traffic, it aggregates packets from multiple wired adapters. For wireless traffic, it captures wireless packets from multiple channels simultaneously (without scanning), measures vital statistics on each channel separately, and calculates the latency of devices roaming between access points. See Configuring adapter options on page 40. You can enable or disable the Aggregator Adapter functionality in OmniPeek in the Analysis Modules view of the Options dialog. To change options in the Wireless Aggregator and Roaming Analysis Options dialog: 1. Choose Tools > Options > Analysis Modules. 2. Select Aggregator and click the Options button. The Wireless Aggregator and Roaming Analysis Options dialog appears.
Accept CRC packets: Select this option to show CRC packets for AirPcap adapters in
the Packets view.

Filter out roams with missing Association packets: Select this option to hide missing
association packets in the Roaming views. 4. Click OK to accept your changes.
AppleTalk Analysis
501
Aruba Remote Adapter

The Aruba Remote Adapter, which appears in the Analysis Modules view of the Options dialog in OmniPeek, lets you stream packets from one or more Aruba access points into a running wireless capture window in OmniPeek. To begin streaming packets, you will need to create a new Aruba Remote Adapter entry, and then select the new adapter as the adapter for a capture window. See Configuring adapter options on page 40. You can enable or disable the Aruba Remote Adapter functionality in OmniPeek in the Analysis Modules view of the Options dialog. To change options in the Aruba Remote Adapter Options dialog: 1. Choose Tools > Options > Analysis Modules. 2. Select Aruba Remote Adapter and click the Options button. The Aruba Remote Adapter Options dialog appears.
3. Select Timestamp packets on capture machine if you are capturing packets from multiple access points. 4. Click OK to accept your changes.
Checksums Analysis
Many network error detection and correction techniques are based on checksums. The sender performs a computation on the data to be sent and the result, the checksum, is included with the transmission. The receiver performs the same computation on the data it receives and compares its results to the senders checksum. If a difference exists, the data is most likely corrupted and the sender is asked to retransmit the data. The Checksums analysis module verifies checksums and keeps track of the total number of invalid checksums for IP headers and data (including ICMP, IGMP, TCP, and UDP), and AppleTalk DDP data. Invalid checksums can be displayed in capture windows. This analysis module can send notifications.
OmniPeek User Guide
Cisco Remote Adapter

The Cisco Remote Adapter, which appears in the Analysis Modules view of the Options dialog in OmniPeek, lets you stream packets from one or more Cisco access points into a running wireless capture window in OmniPeek. To begin streaming packets, you will need to first create a new Cisco Remote Adapter entry, and then select the new adapter as the adapter for a capture window. See Configuring adapter options on page 40. You can enable or disable the Cisco Remote Adapter functionality in OmniPeek in the Analysis Modules view of the Options dialog. To change options in the Cisco Remote Adapter Options dialog: 1. Choose Tools > Options > Analysis Modules. 2. Select Cisco Remote Adapter and click the Options button. The Cisco Remote Adapter Options dialog appears.
3. Select Timestamp packets on capture machine if you are capturing packets from multiple access points. 4. Click OK to accept your changes.
Compass Adapter
The Compass Adapter analysis module displays the Compass dashboard inside a capture window. The Compass dashboard is an easy-to-use network monitoring tool for both wired and wireless networks. It is an interactive forensics dashboard that displays network utilization over time, including top nodes and protocols. See Compass dashboard on page 70.
Duplicate Address
The Duplicate Address analysis module displays and logs instances of two or more network devices using the same IP address. When two separate physical addresses are noted by the Duplicate Address analysis module to be using the same logical IP address, the analysis module produces a Notification. The Duplicate Address analysis module also adds a count of
Cisco Remote Adapter
503
duplicate IP addresses detected to Summary Statistics and the Summary view of any capture window. To change options in the Duplicate Address analysis module Options dialog: 1. Choose Tools > Options > Analysis Modules. 2. Select Duplicate Address Analysis Module and click the Options button. The Duplicate Address Analysis Module Options dialog appears.
3. Select Suppress redundant reports and enter the physical addresses of devices that should be ignored. (By default, duplicate reports for the physical hardware broadcast address are suppressed.) 4. Click OK to accept your changes. Tip For the most accurate results, you should use the Name Table to identify routers on the local segment before enabling the Duplicate Address analysis module. Duplicate IP address notifications are usually caused by multiple routers. Because routers forward traffic from other networks at OSI Layer 3, the logical address (IP) is forwarded unchanged but the physical address (MAC) is changed to that of the router doing the forwarding. When there is more than one router on the local segment, multiple physical addresses may be associated with a single logical address and send a Duplicate Address notification.
OmniPeek User Guide
Email Analysis
The Email analysis module displays SMTP and POP3 commands that can be helpful in debugging Internet mail problems. The Email analysis module reports on client/server connections by counting the number of mail transfers initiated, the number of successful transfers, and the number of failed transfers. It then delivers this information to Summary Statistics and to the Summary column in the Packets view of any capture window,. SMTP specifies the exact format of messages a client on one machine uses to transfer mail to a server on another. Communication between a client and a server consists of readable ASCII text. First, the client establishes a reliable stream connection to the server and then waits for the server to send a 220 READY FOR MAIL message. If the server is overloaded, it may delay sending the 220 message temporarily. Once the 220 message is received by the client, the client sends a HELO command. The server responds by identifying itself. Once communication has been established, the sender can transmit one or more mail messages, terminate the connection, or request the server to reverse the roles of sender and receiver so messages can flow in the opposite direction. The receiver must acknowledge each message. It can also suspend the entire connection or the current message transfer. Mail transactions begin with the MAIL command which provides the sender identification as well as a FROM: field that contains the address to which errors should be reported. A recipient prepares its data structures to receive a new mail message and replies to a MAIL command by sending the response 250, which means all is well. The full response consists of the text 250 OK. As with other application protocols, programs read the abbreviated commands and 3digit numbers at the beginning of lines. The remaining text is intended to help debug mail software. After a successful MAIL command, the sender issues a series of RCPT commands that identify recipients of the mail message. The receiver must acknowledge each RCPT command by sending 250 OK or by sending the error message 550 No Such User Here. After all RCPT commands have been acknowledged, the sender issues a DATA command. In essence, a DATA command informs the receiver that the sender is ready to transfer a complete mail message. The receiver responds with message 354 Start Mail Input and specifies the sequence of characters used to terminate the mail message. The termination sequence consists of 5 characters: carriage return, line feed, period, carriage return, and line feed. Although clients can suspend the delivery completely if an error occurs, most clients do not. Instead, they continue delivery to all valid recipients and then report problems to the sender. Usually, the client reports errors using email. The error message contains a summary of the error as well as the header of the mail message that caused the problem. 505
Email Analysis
Once the client has finished sending all the mail messages to a particular destination, the client may issue the TURN command to turn the connection around. If it does, the server responds 250 OK and assumes control of the connection. With the roles reversed, the side that was originally the server sends back any waiting mail messages. Whichever side controls the interaction can choose to terminate the session by issuing a QUIT command. The other side responds with command 221, which means it agrees to terminate. Both sides then close the TCP connection.
FTP Analysis
The FTP analysis module provides the ability to:
Report the number of successful file transfer initiations, completions, and failures. Report and display the names of files that are being uploaded or downloaded. Report and display ftp commands (for example, ls, cd, and so forth).
The FTP analysis module also watches FTP control traffic for status messages that signal the successful start and end of a file transfer. A count is then added to Summary Statistics for these values. The FTP analysis module can also write these control messages to the Summary column of the Packets view of capture windows. FTP can send an unsuccessful termination message. This condition is rare, but can be of interest to a network manager, especially if there is a high incidence of terminated sessions. Normally, failed FTP transactions are due to unexpected network delays or disruptions. Because a status packet does not usually accompany termination, the only way for a network manager to be aware of this condition is by monitoring the difference between the successful start and end of file transfers. A high discrepancy can signal not only potential network problems, but also additional loss of bandwidth due to unsuccessful transfers.
ICMP Analysis
ICMP (Internet Control Message Protocol) is a maintenance protocol that handles error messages to be sent when packets are discarded or when systems experience congestion. For example, the classic TCP/IP test command is PING. It sends an ICMP Echo Request to a remote system. If the system responds, the link is operational. If it fails to respond to repeated pings, something is wrong. Another important function of ICMP is to provide a dynamic means to ensure that your system has an up-to-date routing table. ICMP is part of any TCP/IP implementation and is enabled automatically. ICMP messages provide many functions, including route redirection. If your workstation forwards a packet to a router, for example, and that router is aware of a shorter path to your destination, the router sends your workstation a redirection message informing it of a shorter route. 506 Analysis Module Descriptions
OmniPeek User Guide
The ICMP analysis module displays information about ICMP destination unreachables, ICMP redirects, ICMP address mask replies, ICMP source quenches, and more. The analysis module can display ICMP type and code in Summary Statistics and in the Summary column of the Packets view of capture windows. This analysis module can also send notifications. To change options in the ICMP analysis module Options dialog: 1. Choose Tools > Options > Analysis Modules. 2. Select ICMP Analysis Module and click the Options button. The ICMP Analysis Module Options dialog appears.
3. Select Report ping (echo) packets to log or deselect to ignore ping (echo) packets. The default is to ignore these packets since they are quite common. 4. Click OK to accept your changes.
IP Analysis
The IP analysis module keeps track of and displays information about requests and responses from ARP, RARP, DHCP, and DNS; and TCP sequence numbers, acknowledgement numbers, windows, and flags, as well as TCP and UDP port numbers. Address Resolution Protocol (ARP) dynamically discovers the physical address of a device, given its IP address. Reverse Address Resolution Protocol (RARP) enables a device to discover its IP address by broadcasting a request on the network. Dynamic Host Configuration Protocol (DHCP) provides clients with a dynamically assigned IP address and other network configuration setting parameters. Domain Name System (DNS) is a set of distributed databases providing information such as the IP addresses corresponding to network device names, and the location of mail servers. A Sequence number is a 32-bit field of a TCP header. If the segment contains data, the Sequence number is associated with the first octet of the data. TCP requires that data is acknowledged (given an Acknowledgement number) before it is considered to have been transmitted safely. TCP maintains its connections within a series of TCP windows established by the protocol. TCP packets may contain flags to denote a variety of conditions or protocol functions.
IP Analysis
507
Results of the IP analysis module are displayed in the Summary column in the Packets view of any capture window, and its counts are used as some of the key baseline traffic elements provided in Summary Statistics. To change the options for the IP analysis module: 1. Choose Tools > Options > Analysis Modules. 2. Select IP Analysis Module and click the Options button. The IP Analysis Module Options dialog appears.
3. Options for this analysis module, all of which are enabled by default, are to show: ports, sequence number, length, ack number, window and TCP flags. Also enabled by default are the display options of Right justify, which makes the numbers line up correctly when seen in the Packets view, and Override default color, which shows information from this analysis module in gray in the Summary column of the Packets view.
Modbus Analysis
The Modbus analysis module collects information carried in the Modbus/TCP automation control protocol. The Modbus analysis module collects the type (query or response), transaction number, and function command found in Modbus over TCP packets, and posts this information to the Summary column of the Packets view of capture windows. Modbus is a standard for device control and reporting in industrial computing.
MPLS/VLAN Analysis
The MPLS/VLAN analysis module provides statistics for MPLS and VLAN networks. The MPLS/VLAN analysis module is supported on both OmniPeek and OmniEngine. This
OmniPeek User Guide
combined plug-in provides basic statistics (i.e., total packets/bytes and packets/bytes per IPNode) and is displayed in the Summary view. Unlike other plug-ins, MPLS and VLAN are dynamically created, and therefore each 802.1Q VLAN ID observed in the capture, a new VLAN group will be created in the Summary view, named VLAN Network <id>, where <id> is the VLAN ID as specified in the 802.1Q header. Within this group, there is one statistic for each IP addressed observed using that VLAN ID. In addition, there is a Total statistic representing the total number of packets and bytes observed using that VLAN ID. For each MPLS label observed in the capture, a new group will be created in the Summary view, named MPLS Network <label>, where <label> is the MPLS label observed as specified in the MPLS header. Within this group, there is one statistic for each IP address observed using that MPLS label. In addition, there will be a Total statistic representing the total number of packets and bytes observed using that MPLS label. These statistics can be used to make or Alarms, as with most other summary statistics, subject to the current limitations of graphs and alarms (e.g., there are no alarms on local captures). To change the options for the MPLS/VLAN analysis module: 1. Choose Tools > Options > Analysis Modules. 2. Select MPLS/VLAN Analysis and click the Options button. The MPLS/VLAN Analysis Module Options dialog appears.
3. Select Limit statistics collection and specify an upper limit to limit statistics collection (if not selected, there is no limit). If the Notify check box is enabled, there will also be a notification sent when the limit is reached (and the severity of that notification is set with the Severity drop down). 4. Click OK to accept your changes.
MPLS/VLAN Analysis
509
NCP Analysis
The NCP analysis module collects request commands and response completion codes found in NCP (Netware Core Protocol) headers and posts this information to the Summary column of the Packets view of capture windows. NCP defines a set of request and reply packets used in support of file and print services, originally over IPX, but now also over IP.
NetWare Analysis
The NetWare analysis module provides information on unanswered RIP, SAP, and NCP requests to Summary Statistics and displays hop and tick counts for RIP packets, Sequence and Acknowledgement numbers for SPX, function and return codes for NCP packets, and service names for SAP packets in the Summary column in the Packets view of any capture window.
Newsgroup Analysis
The Newsgroup analysis module displays and logs accesses to newsgroups and provides these counts to Summary Statistics and the Summary column in the Packets view of any capture window. Anytime a newsgroup is accessed over the network by way of NNTP, the analysis module will generate a Notification noting the specific newsgroup name and the date and time of the access event.
PPP Analysis
The PPP analysis module summarizes PPP traffic. The analysis module provides this information to Summary Statistics and the Summary column in the Packets view of any capture window.
RADIUS Analysis
The RADIUS analysis module provides statistics and decode summaries for Remote Access Dial-up User Services (RADIUS) and RADIUS accounting packets, including summaries for Access Request, Accept, and Reject packets; Accounting Request and Response packets; Access Challenge; and RADIUS Start and Stop packets. The analysis module provides this information to Summary Statistics and the Summary column in the Packets view of any capture window.
OmniPeek User Guide
RFGrabber
The RFGrabber, which appears in the Analysis Modules view of the Options dialog in OmniPeek, is the built-in software support for configuring, controlling, and communicating with the separately purchased RFGrabber probe. You can enable or disable the RFGrabber functionality in OmniPeek in the Analysis Modules view of the Options dialog. For complete details about the RFGrabber probe and how it is used with OmniPeek, please see the documentation that ships with the product.
SCTP Analysis
The SCTP analysis module collects information on the chunk type found in SCTP (Stream Control Transmission Protocol) headers and posts this information to the Summary column of the Packets view of capture windows. SCTP (rfc 2960) provides reliable simultaneous transmission of multiple data streams between two nodes on an IP network. Either or both of the end points may be multi-homed. The original purpose of SCTP was to make IP networks capable of establishing the types of connections required for telephone service. Telephone service relies on SS7 (Signalling System 7), which sends signalling information (that is, information about the connection) along with the voice or other data at the same time. Sometimes referred to as next generation TCP (TCPng), SCTP was designed for broad application, and is not limited to telephone service over IP.
SMB Analysis
The SMB analysis module tracks many of the most common commands, status messages, and other responses for the Server Message Block protocol. It displays information about these SMB transactions in the Summary column of the Packets view of any capture window. SMB is essentially an extended and enhanced file management protocol. Conceptually, the protocol treats files, printers, and named pipes as file objects which can be opened, closed, and modified. To change the options for the SMB analysis module: 1. Choose Tools > Options > Analysis Modules. 2. Select SMB Analysis Module and click the Options button. The SMB Analysis Module Options dialog appears.
RFGrabber
511
3. Select Show SMB command descriptions to display SMB command descriptions in the Summary column in the Packets view of capture windows.
SQL Analysis
The SQL analysis module provides decode summaries for TNS and TDS traffic. Structured Query Language (SQL) is a widely used standard for querying databases. When using SQL over a network, the queries and data are carried within special protocols, where the type of protocol used depends on the type of database environment. Oracle environments use Transparent Network Substrate (TNS). Sybase and Microsoft SQL Server environments use the Tabular Data Stream protocol (TDS). The module provides TDS descriptions including Login, RPC, and SQL summary strings. For TNS, the module provides decode summaries for TNS Connect, Accept, Refuse, Redirect, Data, Abort, Resend, Marker, and Control packets. The analysis module provides this information to the Summary column in the Packets view of any capture window.
SUM Analysis
The SUM analysis module provides decode summaries to the Summary column in the Packets view of a capture window for the following protocols: BGP, HSRP, LDP, RPC, SNMP, and XOT. To change the options for the SUM analysis module: 1. Choose Tools > Options > Analysis Modules. Select SUM Analysis Module and click the Options button. The SUM Analysis Module Options dialog appears.
OmniPeek User Guide
2. Select the protocols for which you would like to display decode summaries in the Summary column in the Packets view of capture windows.
Telnet Analysis
The Telnet analysis module displays the contents of telnet sessions in the Summary column in the Packets view of any capture window. Telnet is a TCP/IP protocol that enables a terminal attached to one host to log in to other hosts and interact with their resident applications.
VoIP Analysis
The VoIP analysis module provides information on traffic related to Voice over IP (VoIP). Specifically, the module provides decode summaries for MGCP, SIP, RTCP, G.723, H.323, H.225, G.711 traffic, and follows H.245 connections based on H.323 port/IP connection data. The VoIP analysis module provides its decode summaries to the Summary column in the Packets view of any capture window.
WAN Analysis
The WAN analysis module provides statistics and decode summaries for Frame Relay, PPP, X.25, Q.921, and Q.931. The analysis module provides this information to Summary Statistics and the Summary column in the Packets view of any capture window.
Telnet Analysis
513
Web Analysis
The Web analysis module displays and logs access to World Wide Web resources. When a Web URL is accessed over the network, the URL is added to the log file, noting the date and time of the access. The information is also written to the Summary column in the Packets view of any capture window. The Web analysis module adds a count of URLs accessed in Summary Statistics. Tip Double-click any URL posted to the Log file by the Web analysis module to open that resource in your default browser.
Note In environments with significant Web traffic, the Web analysis module can write substantial amounts of information to the global log. You may want to disable the Web analysis module in such cases to prevent the Log file from growing too large, too quickly.
APPENDIX Expert Events

In this appendix:
About Expert events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Network Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Client/Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524 Session. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 Data Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 Physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
515
Appendix E: Expert Events
About Expert events

This appendix lists all of the Expert Events found in the program. For a complete list of the descriptions, possible causes, and remedies of each Expert Event, please see the Expert EventFinder or the OmniPeek online help.
VoIP

H.225 RAS Reject: An H.225 Registration, Admission and Status (RAS) request has been rejected by a Gatekeeper. H.225 Call Signaling (Q.931) - Call Dropped: An H.225/Q.931 Signaling Protocol
RELEASE COMPLETE message with a cause other than most normal causes is observed on a previously established call.
H.225 Call Signaling (Q.931) - Call Rejected: An H.225/Q.931 Signaling Protocol
RELEASE COMPLETE message with a cause other than most normal causes is observed on a previously established call.
H.245 Control Reject: An H.245 Control Protocol Request has been rejected. Low MOS-CQ: The PMOS-CQ score for a VoIP flow has dropped below the threshold specified in the EventFinder settings. Low R Factor Conversational: The R-Conversational factor for a VoIP flow has dropped
below the threshold specified in the EventFinder settings.

MGCP - Transient Error: Resource not available error has occurred, causing the current
operation to fail, but with the expectation that the same operation can be fulfilled in a future request.
MGCP - Permanent Error: A permanent error has occurred that can not be fulfilled in
future requests and will not disappear with time.

MGCP - Connection Deleted or Restart in Progress: The gateway is deleting or restarting a
connection to a Call Agent.

RTP Excessive Jitter Detected: By checking the timestamps of arriving RTP packets, the
Expert has detected excessive interarrival jitter (packets which are not arriving at constant intervals). Ideally, jitter should be near zero. To report events based on the jitter values contained within RTCP packets, see the RTP Excessive Jitter Reported event.
RTP Excessive Jitter Reported: RTP interarrival jitter (packets which are not arriving at constant intervals) is reported by the recipient in its Real-time Transport Control Protocol (RTCP) report (usually sent at 5 second or shorter intervals). Ideally, jitter should be near zero. To report events based on the RTP packet timestamps, see the RTP Excessive Jitter Detected event.
516 About Expert events
OmniPeek User Guide
RTP Excessive Packet Loss Detected: Analysis of captured RTP packets shows a packet loss level above the threshold specified in the EventFinder settings. RTP Excessive Packet Loss Reported: An RTCP packet has reported that a receiver has
seen a packet loss level above the threshold specified in the EventFinder settings.
RTP Not Marked for QoS: IP QoS is not enabled on the device that forwarded the received
packet.
RTP Late Packet Arrival: An RTP packet arrived later than expected. RTP Packet Out of Sequence: An RTP packet has arrived ahead of a previously sent RTP
packet.
SCCP Station Alarm - Advisory: The Cisco Skinny Client Control Protocol (SCCP)
defines eight levels of station alarms. The expert groups the lower four station alarms in this category. This includes Debug, Informational, Notice, and Warning. The upper four are grouped into the SCCP Station Alarm Critical group.
SCCP Station Alarm - Critical Alert: The Cisco Skinny Client Control Protocol (SCCP) defines eight levels of station alarms. The expert groups the top four most severe station alarms in this category. This includes Emergency, Alert, Critical, and Error. The lower four are grouped into the SCCP Station Alarm Advisory group. SCCP Station QoS Error: A Cisco SkinnyEP (RSVP Agent) is reporting an error to Call
Manager.
SCCP Station Register Reject: The Call Manager is rejecting a stations attempt to
register.
SIP Post-Dial Delay Exceeded: The delay between a clients first Session Initialization Protocol (SIP) INVITE request and the resulting 180-Ringing response from a server exceeded the threshold. SIP Redirection: A client's Session Initialization Protocol (SIP) request resulted in a 3xxRedirection response from a server. SIP Client Authentication Required: A client's Session Initialization Protocol (SIP) request resulted in a 401-Unauthorized or 407-Proxy Authentication Required response from a server. SIP Client Error: A clients Session Initialization Protocol (SIP) request resulted in a 4xxRequest Failure response from a server. SIP Server Error: A clients Session Initialization Protocol (SIP) request resulted in a 5xx-
Server Failure response from a server.

SIP Global Error: A clients Session Initialization Protocol (SIP) request resulted in a 6xxGlobal Failure response from a server.
VoIP
517
WAN
Frame Relay Excessive FECN: Forward Explicit Congestion Notification. A frame relay
switch that is relaying frame relay traffic between DLCIs has recognized congestion in the forwarding DLCI and is setting the FECN bit in a frame that is being forwarded. Also see BECN.
Frame Relay Excessive BECN: Backward Explicit Congestion Notification. A frame relay
switch that is relaying frame relay traffic between DLCIs has recognized congestion in the forwarding DLCI and is setting the BECN bit in a frame that is heading the opposite direction back to the originating DLCI. Also see FECN.
Frame Relay DLCI Status Change: A DLCI has gone down, has become inactive, a new DLCI has been activated, or there is a complete reconfiguration of DLCIs. PPP Configure NAK: During PPP setup, all configuration options are recognizable by the
peer, but one or more of the values are not acceptable.

PPP Reject: During PPP setup, there has been a Configure-Reject, Code-Reject, or Protocol-Reject from the peer. PPP Terminate-Request: A sustained level of all stations broadcast packets (the destination physical address consists of all 1s) has met or exceeded the threshold.
Wireless
Performance
Wireless - Too Many Physical Errors: There are frames captured at this location containing a CRC error. The threshold is in number of CRC errors per second. Wireless AP - QBSS Client Too Many: A QoS Basic Service Set (QBSS) capable access point has more users than the specified default. Wireless AP - Mixed Mode: An 802.11 b/g access point is communicating with both b
and g clients.
Wireless AP - 802.11n Capable: An access point is capable of using 802.11n. Wireless AP - 802.11n Dual Channel Capable: An access point is advertising that it is capable of using dual channel mode for increased throughput. Wireless AP - Physical Errors: There are frames from a wireless client captured at this location containing a CRC error. The threshold is in number of CRC errors per second
518 WAN
OmniPeek User Guide
Wireless AP - QoS Not Enabled: An access point is not advertising that it is capable of
QoS or WMM.
Wireless AP - Repeater Mode Detected: Reported once per access point, this condition implies that an access point is functioning as a relaying device, cutting effective throughput in half. Wireless AP - Too Many: The number of access points observed on a given channel is at or greater than the threshold, decreasing the efficiency of utilization (contention) of that channel. Wireless AP - Too Many Clients: The number of active clients connected to an access point has exceeded the threshold. Wireless AP - Too Many Retries: The access point has previously attempted to send
packets over the wireless medium without receiving an ACK from the receiver.
Wireless AP - Weak Signal: The signal strength of a frame transmitted by an access
point and captured at this location is at or below the threshold.

Wireless Channel Overlap: The Expert has detected a management frame from a channel other than the capture channel, indicating channel overlap or bleed. Wireless Client - Excessive Roam Time: A roaming client has been observed to take an unacceptably long time to rejoin another access point the wireless network. This can cause performance effects on time-sensitive applications such as VoIP over WLAN Wireless Client - High Fragmentation Rate: Based on the threshold, there are too
many packets being fragmented into smaller packets. This impacts performance on your WLAN by increasing traffic and decreasing effective throughput.
Wireless Client - No Response to Probe Request: The access point failed to send out
a probe response frame for outstanding probe request from clients for its ESSID.
Wireless Client - Physical Errors: There are frames from a wireless client captured at
this location containing a CRC error. The threshold is in number of CRC errors per second.
Wireless Client - Power Save Interval Exceeded: Association requests specify the
number of beacon intervals a station will wait before waking up to receive buffered traffic from the access point. A wireless client has failed to wake up within this time to receive buffered traffic.
Wireless Client - Power Save Listen Interval Too Long: The wireless client has been
observed to have a power save interval longer than the specified value in the threshold.
Wireless
519
Wireless Client - Power Save Missed Packet: An access point has dropped buffered data that was being held for a client in the sleep state. Wireless Client - Probe Response Not Accepted: The reported wireless client has not continued the normal process of associating with the responding access point after receiving a matching probe response frame. Wireless Client - Too Many Retries: The client has previously attempted to send
packets over the wireless medium without receiving an ACK from the receiver.
Wireless Client - Weak Signal: The signal strength of a frame transmitted by a client
and captured at this location is at or below the threshold. The minimum sample period is how often this event is reported.
Wireless Data Rate Change: The data rate of this packet is lower than the previous
packet.
Wireless Excessive Data Rate Change: The data rate of this packet is changing at an
excessive rate.
Wireless Excessive Probe Requests: A client is sending excessive probe requests. If this problem persists, it could lead to lowered available bandwidth and a delay in the client getting on the network. Wireless Excessive RTS: A wireless network has seen more RTS (Request to Send)
packets than specified by the threshold. This overhead can slow down the overall throughput of the network if used excessively.
Wireless Fragmentation Packet Size Too Small: The wireless fragmentation size of a packet is lower than the threshold. This can cause a decrease in throughput, but increase the ability of the sender to deal with interference. Wireless g Device Short Time Slot: A wireless 802.11g device has re-transmitted a frame using the short time slot. This may be an indication of a collision problem in a mixed b/g network as 802.11b does not support short slots. Wireless High Beacon Rate: An access point or ad hoc station is sending beacon
frames at a faster rate than the threshold.

Wireless Low Signal-to-Noise Ratio: The analyzer is receiving packets with a low
signal-to-noise ratio below the value specified in the settings.

Wireless RF Interference: Unwanted RF signals disrupt normal operation, causing
lower data rates and a high percentage of wireless retries. This event is triggered when noise is detected above the configured threshold in the EventFinder settings.
Wireless RTS/CTS Data Packets Too Small: RTS/CTS mechanism is using packets size smaller than the threshold, potentially impacting throughput.
520 Wireless
OmniPeek User Guide
Wireless Transmission Retry: The transmitter has previously attempted to send this packet over the wireless medium.
Security
Wireless AP - Broadcasting ESSID: The access point is sending its ESSID in beacon broadcasts, allowing all stations (including tools that snoop broadcast packets) to see the ESSID. Wireless AP - Inconsistent Configuration: Multiple access points (BSSIDs) in your WLAN, with the same ESSID, have conflicting configuration elements such as different data rates, compatibility configurations or more. Wireless AP - Missing: An access point, active in the past, has recently stopped
transmitting packets. This event is only reported once per access point unless the device reappears and disappears again.
Wireless AP - Not Configured: The access point is broadcasting an ESSID that is one
of several known default ESSIDs. The ESSID table is contained in an XML file which can be updated.
Wireless AP - Possible Spoof: Multiple access points are seen beaconing for a short period of time and then disappearing. Wireless AP - Restarted: An access point has been restarted within the past number of minutes as determined by the threshold. Wireless AP - Rogue: An unrecognized access point has been detected, since it does
not exist in the name table and it is not designated as an access point.
Wireless AP - WEP Not Required: The access point does not require WEP for stations
to associate to it.
Wireless Ad Hoc Detected: Two or more wireless nodes are communicating directly
to each other without using an access point. If communicating on the same or nearby channel as a wireless infrastructure using access points, available bandwidth can be severely impacted.
Wireless Association Attack: The number of association requests is at or has exceeded
the threshold, measured in number of associations in so many seconds.

Wireless Association Denied: An authenticated client's association request was
denied by the access point resulting in any of the following status codes in the association response frame: 12,17,18,19,20,21,22,23,24,25,26.
Wireless Authentication Attack: The number of authentication requests is at or has exceeded the threshold, measured in number of authentications in so many seconds.
Wireless
521
Wireless Authentication Denied: An access point is rejecting a clients authentication
request. A normal insertion by a client into a wireless network is a probe request followed by authentication, then association.
Wireless Client - Associated with Rogue Access Point: A client has associated with an unknown or untrusted access point. This event is monitored and reported for each recorded association. Wireless Client - Acting as DHCP Server: A wireless client is acting as a DHCP server indicating a potential rogue DHCP server and security risk. Wireless Client - Rogue: An unrecognized client has been detected, since it does not
exist in the name table.

Wireless Client - Using Access Point Address: A station is transmitting frames using
the same source address as an access point.

Wireless Client - Using Access Point ESSID: A wireless client in ad hoc mode has
been detected using the same ESSID that is being used by valid access point(s) in the infrastructure network. This leads some clients to connect to an undesired network.
Wireless Data Sent But Not Associated: A data frame has been received by the access point from a non-authenticated station. The access point will reject the frame and send a deauthenticate frame back to the station with the error status. Wireless Deauthentication Attack: There are a large number of deauthentication frames which may be from a client spoofing an access point. These frames are usually sent to the all stations broadcast address causing all stations associated with that access point to disassociate Wireless Duration Attack: The duration field in the client's data frame is set to a value higher than the above threshold. The duration field reserves the wireless medium by updating the Network Allocation Vector (NAV) for the time it will take to complete a WLAN transaction including acknowledgements. Wireless PSPF Violation: Public Secure Packet Forwarding (PSPF). Two clients are
communicating to each other via an access point. In some hotspots this is undesirable as a possible security and/or performance risk.
Wireless Reassociation Denied: An access point is rejecting a client's association
request. A normal insertion by a client into a wireless network is a probe request followed by authentication, then association.
Wireless RF Jamming: RF Jamming is a step above innocent interference. Jamming
can be defined as malicious attacks on your RF domain in order to cause service disruptions. This event is triggered when noise is detected above the configured threshold in the EventFinder settings.
522 Wireless
OmniPeek User Guide
Wireless Same Send & Receive Address: The source address and destination address
are identical.
Wireless Security Error: A wireless (802.11i or WPA2) security error has occurred during a wireless transaction. Wireless Source Address is Broadcast: A station has assigned an all stations broadcast address (all 1s or FF:FF:FF:FF:FF:FF in hex) as its source address. Wireless Source Address is Multicast: A station has assigned a multicast address (the lower bit of the first byte of an address is set to 1) as its source address.
Network Policy

Network Policy Violation - Vendor ID: A device with a prohibited MAC address is
transmitting on the network.

Network Policy Violation - Channel: A wireless device is transmitting on a prohibited
channel.
Network Policy Violation - ESSID: An access point is broadcasting a prohibited ESSID. Network Policy Violation - WLAN Encryption: A device is transmitting on the network with
a prohibited form of WLAN encryption.

Network Policy Violation - WLAN Authentication: A device is transmitting on the network with a prohibited form of WLAN authentication.
Client/Server

Busy Network or Server: There is a moderate to high fluctuation in response time. The higher the sensitivity, the higher the likelihood that this problem will be flagged. Inefficient Client: Chatty conversations in which data packets from a server have small average packet sizes. The higher the sensitivity, the higher the likelihood that this problem will be flagged. Low Server-to-Client Throughput: The throughput from the server to the client is at or
lower than the threshold.

Low Client-to-Server Throughput: The throughput from the client to the server is at or
lower than the threshold.

Non-Responsive Client: Often indicates that a client or peer (for which a connection has
already been established) is not acknowledging data received from server or peer.
Network Policy
523
Non-Responsive Server: Often indicates that a server or peer (for which a connection has
already been established) is no longer responding to repeated packet retransmissions from a client or peer.
One-Way Traffic: No packets have been seen in the reverse direction for a user-definable length of time. This diagnosis is flagged only once for a given conversation. Slow Server Response Time: The average response time from the server is equal to or
higher than the threshold.
Application
Apdex DHCP DNS
DNS Slow Response Time: The average response time from the DNS server is equal to or higher than the threshold. DNS Error: An error response from a DNS server that is usually more serious than an invalid name. DNS Non-Existent Host or Domain: The host or domain name requested in a DNS name query cannot be found or the name for a given IP address cannot be found (reverse lookup). DHCP Low Lease Time: The client has been offered an IP address lease in which the lease time is at or below the threshold. DHCP Multiple Server Response: A client requesting an IP address has had multiple Apdex Score - Client Too Low: An application clients Apdex score has dropped below
the event threshold score.

Apdex Task Ended - Tolerating User: A single task has ended. Its duration exceeded
the Apdex threshold duration.

Apdex Task Ended - Frustrated User: A single task has ended. Its duration exceeded 4
times the Apdex threshold duration.
DHCP servers respond to its request.

DHCP Request Rejected: A DHCP Request has been rejected by a DHCP server. DHCP Request Storm: A high count of DHCP addresses are being requested.
524 Application
OmniPeek User Guide
HTTP
HTTP Request Not Found: Also known as Client Error 404, the HTTP server has
nothing matching the clients request.

HTTP Client Error: Returned from the server as a result of an invalid HTTP client request and usually more serious than an invalid URL (see HTTP Request Not Found). HTTP Server Error: A client's request is usually valid, but the server has erred. Also
known as Server Error 5xx.

HTTP Slow Response Time: The average response time from the server is equal to or
Oracle POP3
POP3 Login Failed: A POP3 server has rejected a client's attempt to authenticate. POP3 Server Returned Error: A POP3 connection or request has been rejected by a Oracle Logon Denied: The Oracle clients logon data was rejected by the remote
server.
Oracle Slow Response Time: The average response time from the Oracle server is equal to or higher than the threshold. Oracle TNS Connection Refused: The clients connect request was denied by the
remote server.
POP3 server after a TCP connection has already been established.

POP3 Slow Response Time: The average response time from the server is equal to or
SMB/CIFS
SMB Logon or Access Denied: A Server Message Block (SMB) attempt to logon or share a remote resource has failed. SMB Command Rejected: A Server Message Block (SMB) command has been
rejected.
SMB Invalid Network Resource: A Server Message Block (SMB) command to connect to a network resource name has been rejected.
Application
525
SMB Repeated or Looped Transaction: A SMB application or OS redirector has sent
the same transaction command back-to-back within the threshold time setting.
SMB Excessive Transaction Loops: A SMB application or OS redirector has sent too
many SMB Repeated or Looped Transaction commands within the threshold percentage of packets.
SMTP SQL
SQL Server Failed Login: The SQL Server client's login was rejected by the remote SMTP Server Returned Error: A SMTP request has been rejected by an SMTP server. SMTP Slow Response Time: The average response time from the server is equal to or
server.
SQL Server Client Error: The SQL Server has encountered errors that can be
corrected by the client.

SQL Server Fatal Error: The SQL Server has encountered a non-recoverable system problem in which the program code that carries out a particular SQL statement is no longer running. SQL Server Resource Error: The SQL Server has run out of resources. SQL Server Slow Response Time: The average response time from the SQL Server is equal to or higher than the threshold.
FTP Slow Response Time: The average response time from the server is equal to or higher
than the threshold.

Kerberos Request Rejected: A Kerberos Request has been rejected by a Kerberos server. LDAP Slow Response Time: The average response time from the LDAP server is equal to
or higher than the threshold.

NFS Retransmission: One or more packets of an NFS transaction using UDP has not
reached its destination.

Windows Master Browser Election: A windows node has broadcast an election datagram
to force a master browser election. The Browser protocol is used to maintain the Network Neighborhood.
526 Application
OmniPeek User Guide
Session
NetBIOS (over IP) Session Refused: The host is rejecting a clients NetBIOS connection
attempt.
Transport
TCP
TCP Connection Refused: The host is rejecting a clients initial TCP connection
attempt.
TCP Connection Lost: TCP data is repeatedly being sent with no acknowledgement
until the sender gives up and resets the connection.

TCP Inactive Connection Reset: The sender has set the RST flag in a TCP packet. TCP Connection Reset: One end of a TCP connection has set the RST flag in a TCP
packet, which sometimes indicates an abrupt disconnect. The normal TCP disconnect is to FIN although some applications will terminate with a reset or a FIN followed by a reset.
TCP Too Many Retransmissions: The source IP node is sending another TCP packet
with a sequence number that matches a previously sent TCP packet to the same destination IP address and TCP port numbers. Too many is when the percentage threshold exceeds that of total transmitted (non-ACK) packets.
TCP Fast Retransmission (by ACK): The source IP node is resending a TCP packet because the receiver has indicated a missing packet with a triple duplicate ACK (four identical ACK packets in a row). TCP Fast Retransmission (by time): The source IP node is sending another TCP packet with a sequence number that matches a previously sent TCP packet to the same destination IP address and TCP port numbers. Retransmits are flagged as fast if they occur before the TCP Fast Retransmission threshold. TCP Slow First Retransmission: The first retransmission is taking longer than the
threshold which may indicate slow recovery time and throughput.

TCP Retransmission: The source IP node is sending another TCP packet with a sequence number that matches a previously sent TCP packet to the same destination IP address and TCP port numbers. TCP Invalid Checksum: The TCP header and/or data is in error. One or more bits has
erroneously changed since the TCP segment was transmitted by the source IP host
TCP Idle Too Long: The TCP connection hasnt been used since the threshold was set.
Session
527
TCP Low Starting MSS: The TCP Maximum Segment Size (MSS) is at or below the
threshold setting.
TCP Repeated Connect Attempt: A client is attempting multiple times to establish a
TCP connection.
TCP Slow Acknowledgement: The recipient appears to be slow in acknowledging
TCP data segments based on the threshold added to the average ACK time.
TCP Slow Segment Recovery: A TCP segment is taking longer than the threshold to complete, which may indicate slow recovery time and throughput. TCP Triple Duplicate ACK: A receiving TCP node has noticed one or more missing
packets and is requesting that the sender retransmit them by sending 4 identical ACK packets.
TCP Low Window: The application is not keeping up with the incoming TCP segments. The threshold is based on the percentage of the maximum observed window for this conversation. TCP Stuck Window: The TCP window size has not changed for three or more consecutive packets and has dropped below a percentage of the maximum window. The application may be one or more packets behind in processing incoming TCP segments. TCP Zero Window: The recipients TCP receive buffer is filling up (low window) or
full (zero window).

TCP Segment Out of Sequence: A TCP data packets TCP sequence number is less than the previous data packets ending TCP sequence number. TCP Segment Outside Window: The flagged TCP packet carries data before or after the available TCP window most recently advertised in an acknowledgement packet from the destination. TCP Segment Acked but Missing: A TCP ACK packet that acknowledges data has not
yet appeared within the capture.

RSVP Error: RSVP error occurred in an RSVP path message or RSVP reservation
message.
UDP Invalid Checksum: The UDP header and/or data is in error. One or more bits has erroneously changed since the UDP datagram was transmitted by the source IP host.
528 Transport
OmniPeek User Guide
Network
IP
IP Invalid Header Checksum: The header portion of the IP datagram is in error. One
or more bits has erroneously changed (with the exception of the TTL) since the IP datagram was transmitted by the source IP host.
IP Local Routing: Two identical IP packets except for the TTL have been detected. IP Network Duplicated Packet: A single packet has appeared multiple times on your network. This could be a waste of network resources. IP Low Time-To-Live: The IP Time-To-Live (TTL) has fallen to or below a pre-
determined threshold indicating that the packet can only traverse that many more routers before it is discarded
IP Missing Fragment: An IP datagram has been fragmented by the host application or a router, and one of the fragments is missing. IP Packet with CRC Frame Error: The CRC re-computed by the analyzer when the
frame was received did not match the CRC at the end of the frame, indicating one or more corrupted bits in the frame. If the IP Header Checksum is okay, then the problem is most likely elsewhere in the frame.
ICMP
IP Zero Address in Broadcast: An IP UDP packet is being broadcast using the old IP
broadcast address of 0.0.0.0.
ICMP Network Unreachable: A router is reporting back to the source host that it cannot forward a packet on to a network along the path to the destination host. ICMP Host Unreachable: A router is reporting back to the source host that it cannot forward the packet to the destination host. ICMP Protocol Unreachable: The destination host is reporting back to the source host that the indicated next layer protocol (usually TCP or UDP) is not available.ICMP Port Unreachable ICMP Port Unreachable: The destination host is reporting back to the source that the application layer protocol as specified by the UDP port is not supported. ICMP Fragmentation Needed: A router is reporting back to the destination host that
fragmentation is required to forward the packet, but the Don't Fragment bit was set in the IP header.
Network
529
ICMP Source Route Failed: A router is reporting back to the source host that the path specified by the source cannot be followed. ICMP Host Unknown: A router is reporting back to the source host that the
destination host does not exist.

ICMP Net Unreachable TOS: A router is reporting back to the source host that a
network is unavailable for the Type of Service (TOS) specified in the original IP datagram's header.
ICMP Host Unreachable TOS: A router is reporting back to the source host that the
destination host is unavailable for the Type of Service (TOS) specified in the original IP datagrams header.
ICMP Comm Admin Prohibited: A router is reporting back to the source host that it
cannot forward the original datagram due to administrative filtering settings.

ICMP Host Precedence Violation: The first hop router is reporting back to the source
host that a requested precedence is not permitted.

ICMP Precedence Cutoff: A router is reporting back to the source host that a network has a minimum precedence level that is not satisfied by the original datagram. ICMP Host Redirect: A router is reporting back to the source host that it should use an alternate route for the destination host. ICMP Host TOS Redirect: A router is reporting back to the source host that it should
use an alternate route for the destination network and Type of Service (TOS).
ICMP TTL Exceeded: A router is reporting back to the source host that a datagram
has expired before being delivered to the destination host.

ICMP Fragmentation Time Exceeded: The destination host is reporting back to the source host that not all fragments of a datagram have been received. ICMP Parameter Problem: The reporting host is reporting back to the source host that it found a problem with the header parameters in the original data gram such that it could not complete processing of the datagram and must discard it. ICMP Obsolete Message: The reporting host is using an ICMP message type that has
been obsoleted or deprecated. Recipient hosts may not understand the error message as a result.
Data Link
802.1X Dictionary Attack: A node is generating multiple login attempts by using common words found in a dictionary.
530 Data Link
OmniPeek User Guide
ARP Request Storm: A high count of ARP requests are flooding the network. Broadcast Storm: A sustained level of all stations broadcast packets (the destination physical address consists of all 1s) has met or exceeded the threshold. Multicast Storm: A sustained level of multicast (the broadcast bit in the destination physical address is set to 1) packets has met or exceeded the threshold. Severe Broadcast Storm: A sustained level of all stations broadcast packets (the
destination physical address consists of all 1s) has met or exceeded the threshold. Severe Multicast Storm
Severe Multicast Storm: A sustained level of multicast packets has met or exceeded the threshold (the broadcast bit in the destination physical address is set to 1). Spanning Tree Topology Change: The actively forwarding bridge (or switch) port for this
segment has changed.

EAP Authentication Failure: Using the 802.1x framework to carry EAP requests and responses (such as Cisco LEAP), an authenticator cannot authenticate the client.
Physical
LAN
Too Many Physical Errors: The CRC re-computed by the analyzer when the frame was received did not match the CRC at the end of the frame, indicating one or more corrupted bits in the frame. The threshold applies to a window of consecutive CRC frames from any source.
MAC Flooding: There is a high rate of new MAC Addresses flooding the network. This is often done to fill up switch node tables to cause a Denial of Service attack.
Physical
531
532 Physical
Index
Numerics 1-way latency 75 2-way latency 75 802.11 analysis module 500 802.11 options 278 802.11 view 35, 416, 417 802.11 WLAN 414 A abort trigger 352, 355 absolute time packets view 469 PacketVisualizer tab 475 visual expert graphs tab 199 access control 26 Ack for 475 Acked by 475 ActiveX 246 ad hoc mode 485 adapter option 278 adapter view 35, 40, 42, 86, 277 adapters tab 22 add statistic dialog 339 advanced filter 129 aggregator adapter 41, 42, 501 alarms 342 alarms tab 23 alarms view 35, 346 default 342 installed components 496 make 283, 286, 299 make alarm 348 OmniEngine 342, 345, 346, 349 alarms view 48 altitude 442, 467 analysis modules 23, 384, 409 file location 497 notifications 385 options dialog 384 packets view column 385 analysis options 35, 229, 278 anti-aliasing 315 Apdex 66, 68, 181 API 5, 6 AppleTalk analysis module 501 application data 498 Application Performance Index (Apdex) 181 application view 48, 68, 181 apply analysis module command 385 Aruba remote adapter 41, 43, 44, 502 ASCII view 112 association strength 486 audio 262, 268 audio playing 255, 261, 268 authentication 14, 19, 486 auto scroll 377, 381 AutoCapture file 395 capture templates 394 create and edit 390 log file 391 scheduled task 399 B background image 314 background sounds 246 beacon packets 487 BSSID 300, 467 buffer size 39, 85 byte count 238
533
Index
bytes captured 352, 353 C call background color 265 call quality 38, 39, 62, 66, 160, 170 call quality distribution 65 call summary 65 call utilization 66 call volume 66 call vs. network utilization 62, 160, 170 calls view 256 capture buffer 37 capture button view 408 capture file 37, 38, 50, 497 capture file formats 102, 105 capture menu 460 capture options dialog 30 802.11 view 35, 416, 417 adapter view 35, 40, 42, 86 alarms view 35, 346 analysis options 35 configuring settings 34 filters view 35 general view 30, 35, 55, 56, 62, 160, 170 graphs 329 graphs view 35, 329 hardware profiles view 35 statistics output view 35 triggers view 35 capture sessions 223 capture status 47 capture templates 32, 52, 54, 395 AutoCapture file 394 import 395 capture to disk 37, 38 capture window 10, 30, 94, 95 alarms view 48 application view 48 channels view 50 clients/servers view 48 creating 30 534
docking views 47 filters view 48 flows view 48 forensics capture 55 graphs 324 graphs view 49, 330 log view 48 monitoring capture 56 navigating 46 new capture 32 new forensics capture 32 new monitor capture 32 nodes view 49 OmniEngine 94 packets view 48, 98, 101 peer map view 49 progress section 46 properties dialog 100 protocols view 49 signal view 50 statistics 279, 280, 324 summary view 49 title 37, 46 WLAN tab 277, 279, 297 WLAN view 50 captures tab 21 captures view columns 491 channel column in packets view 468 network policy 208 radio frequency 111 scanning options dialog 416 channel statistics 277, 279, 295 channel view selection 299 channels view 50 checksums analysis module 502 Cisco remote adapter 41, 44, 45, 503 CKIP 486 clear log 377 client/server colors 409 clients view 240
OmniPeek User Guide
clients/servers view 48, 178 color client/server 409 color tab 338 globes 299 packets view 410 peer map 312 statistics views 280 COM port 446 command line, starting OmniPeek 494 compare tab 205 Compass adapter 41, 503 Compass dashboard 4, 41, 48, 70, 84, 85, 91, 503 configuration tab 310 configuring OmniEngine settings 24 connect dialog 14 contents tab 245 continuous capture 35, 37, 85 continuous expert analysis 192 conversation 128 conversation details 317 conversation tooltips 315 conversations in peer map 309 Coordinated Universal Time (UTC) 38 copying packets 107, 145 CRC error 490 create graph template dialog 329, 333 creating a simple filter 128 creating an advanced filter 129 cumulative bytes 469, 475 current activity, dashboard 64 current adapter 47 D dashboard Apdex 66 Compass 70 network 63 timeline 60 voice & video 64
data link connection identifier 284 decode channel info 111 decode pane 98, 100 decode view 111 file location 497 line decoders 115 packet length 111 request/response threads 117 status info 111 threads 117 timestamp 111 decrypt WLAN packets dialog 103 decryption 102, 103, 116 deleting packets 107 delta time 469, 475 detail statistics 284, 287 details tab 161, 243, 259 forensics tab 167 discover engines dialog 18 discovering engines 18 display filter 51, 100, 122 display format 409 display HTML as HTML 245 display HTML as source text 245 display weak associations 299 DNS name 14, 15 DNS server 100 docking views 47 domain 14, 19 download images 246 drivers 497 duplicate a filter 140 duplicate address analysis module 503 duration status 47 E EAPOL key 416 EAPTLS 486 edit a filter 139
535
Index
edit graph template dialog 329, 337 edit menu 455 edit name dialog 366 edit note 100, 102 edit scanning 416 email analysis module 505 enable a filter 124 encrypted packets 102 encryption 414, 416, 417 ESSID 209, 487 event log tab 184, 261 event summary tab 183, 260 expert 56 clients/servers view 178 column headings 470 EventFinder 189, 256 EventFinder settings window 189 expert tab 180 expert view options dialog 185 installed components 496 memory usage 191 save functions 189 threshold assistant 191 export filters 140 F fake filter 296 file formats 105 file menu 454 file path 37 file splitting 52 files tab 22, 51, 56, 144, 153 filter bar 51, 135, 147 filters 269 about filters 120 adding groups 121 duplicate 140 edit 139 enable 124 filter file 496 filters tab 23 536
filters view 35, 48, 121 installed components 496 load 140 new capture 133 reject matching 126, 127 save 140 trigger events 351, 352, 353 view 128, 129, 133 window 120 flags 468 flat view 283, 286 expert tab 180 node statistics tab 283 protocol statistics 286 flow list MSA flow list 214 flow map 213, 217 flows 71, 79 flows view 48 fonts view 280, 408 forensic analysis 4, 51, 55, 144, 153 forensic search 55, 62, 153, 154, 161, 168 forensic searches 22 forensics capture 32, 55 forensics tab 22, 56, 144, 153, 158 FTP analysis module 506 full-duplex 6 G gauge tab 289 geiger counter 302 general view 30, 35, 55, 56, 62, 160, 170 gigabit analyzer cards 6 global log 376 global messages only 379, 382 globes 299 GPS 498 altitude 442 display update lag 443 fix, defined 440
OmniPeek User Guide
GPS view 409 latitude 442 local measurement systems in 443 longitude 442 receivers supported 440 recognized NMEA sentences 440 speed 442 time 442, 467 graph data options dialog 322 graph display options dialog 327, 338, 339 graph templates 333 graphs capture options dialog 329 capture window statistics 324 directory 496 graphs tab 23, 197, 329, 339 graphs view 35, 49, 329, 330 save 340 visual expert 197 grouping files 155 GTK (Group Transient Key) 103, 416 H hardware profiles options 278 hardware profiles view 35 headers tab 244 Hex pane 98, 101 Hex view 112 hidden packets 145 hide and unhide 145 hiding packets 145, 146 hierarchical view 286 hierarchy of wireless nodes 300 hierarchy view 283, 286 history statistics 277, 293 home tab 21 host 14 HTML 245 I ICMP analysis module 506
images 246 import capture templates 395 import filters 140 insert engine 14 insert filter dialog 91, 128, 129, 133 insert into name table 283, 286, 299, 317, 367 insert name dialog 366 installing OmniEngine 8 installing OmniPeek 7 Intelligent Platform Management Interface 15 IP address 14, 61, 64, 159, 169 IP analysis module 507 IPMI port 15 IPv6 address 61, 64, 159, 169 J JavaScript execution 246 jitter buffer 255, 262, 268 K key set 102 key set dialog 417, 419 key set view 409 L ladder 213, 218 latency 75, 422 latency graph 200 latitude 442, 467 LEAP 486 list views 280, 408 listen time 18 load filters 140 loading name table 370 local machine 41 locate node 299 log file 391 AutoCapture file 391 print 377, 380 save 377, 380 log tab 22
537
Index
log view 48 log, dashboard 64 longitude 442, 467 M main program window 8 make alarm 283, 286, 296, 299 make filter 286, 299, 317 command 100, 128 node 128, 283 packet 128 packet decode 128 protocol 128 map type 310 map type parameter 310 mapping profile 231 matrix switches 24, 409, 446 maximum conversations slider bar 191, 192 media view 257 memory usage 191, 192 MIB file 361 MIBs directory 497 misc. tab 338 Modbus analysis module 508 monitor capture 32 monitor menu 461 monitor mode 91 monitor options 277 802.11 278 adapter 278 analysis options 278 hardware profiles 278 statistics output 278 monitor options dialog 10 monitor statistics 276, 280, 322 monitoring capture 56, 276, 279 MPLS/VLAN analysis module 508 MSA 212 analysis options 229 capture sessions 223
creating project 219 engines 222 flow map 213, 217 ladder 213, 218 mapping profile 231 progress 225 project 221 project file 228 project window 213 segments 226 time range & filter 221 wizard 219, 221 multi-segment analysis 212 N name resolution view 368, 408 name table 100 adding groups 365 building 364 insert 283, 367 installed components 496 loading 370 NIC vendor ID file 496 resolving names 364 saving 371 navigating a capture window 46 navigation pane 47 NCP analysis module 510 NetWare analysis module 510 network dashboard 63, 288 network forensics 4, 51, 55, 144, 153 network policy dialog 206 network speed 41 network statistics 276, 288, 289 network utilization 71 new capture button 133 new file set schedule 304 new forensics capture 32 new monitor capture 32 newsgroup analysis module 510 NIC vendor ID file 496
538
OmniPeek User Guide
NMEA (National Marine Equipment Association) 0183 standard 440 node detail statistics window 283 node details 282, 283, 299 node details tab 183 node statistics 276, 279, 281, 283 flat views 283 hierarchy view 283 node visibilities 312, 313 nodes 71, 81 nodes in peer map 309 nodes view 49 nodes visibility criteria 311 noise 487, 491 notes 100, 102 notifications 358 actions 360 analysis modules 385 configuring 358 email 361 execute 361 log 361 notifications tab 23 notifications view 409 SNMP trap 361 sound 361 syslog 361 text log 361 O offsets 113 OmniEngine access control settings 26 adapters tab 22 alarms tab 23 authentication 14, 19 capture window 94 captures tab 21 configuring 24 discovering 18 DNS name 15
domain 14, 19 files tab 22, 51, 56, 144, 153 filters tab 23 filters view 121 forensics tab 22, 56, 144, 153, 158 general settings 26 graphs tab 23 home tab 21 host 14 installation 8 log tab 22 matrix switches tab 24 notifications tab 23 OmniEngine tabs 21 password 15, 19 port 14 security settings 26 tabs 20 template 40 trust table tab 23 updating 24 username 15, 19 OmniEngine Manager 24 OmniEngines window 12, 13, 14, 18 captures view columns 491 graphs tab 329 OmniPeek Remote Assistant 434, 435, 436, 438 open payload 252 opening a capture file 50 options dialog analysis modules view 384, 409 capture button view 408 client/server colors 409 fonts view 408 GPS view 409 key set view 409 list views 408 matrix switches view 409 name resolution view 368, 408 notifications view 409 ORA group 409
539
Index
units 409 VoIP 409 warnings view 409 workspace view 408 ORA 434, 435, 436, 438 ORA group 409 P packet count 238 packet decode window 108 packet decoders 497 packet file formats 105 packet list options dialog 101 packet list pane 98, 100 packet size distribution 276, 290 packet slicing 35, 39 packets in buffer 47 packets tab 468 latitude 467 longitude 467 packets view 48, 98, 101, 145 altitude 442 flags 468 latitude 442 longitude 442 speed 442 PacketVisualizer tab Ack for 475 Acked by 475 cumulative bytes 475 SEQ/ACK 194 time ticks 193 visual expert 193 pages view 241 passphrase 418 password 15, 19 payload 251, 252 payload tab 196 PEAP 486 PeekCat 52, 497 PeekSplit 497 540
peer map 308 color 312 configuration tab 310 conversation details 317 conversations 309 map type parameters 310 node visibilities 313 node visibilities tab 312 nodes 309 nodes visibility criteria 311 options 315 peer map tab 318 peer map view 49 profiles task pane 314 protocol segments 315 protocols 309 select related packets 317 tooltips 315, 318 view 308 physical address 61, 64, 159, 169 play audio 255, 261, 268 port 14 post-capture analysis 144 power save 487 PPP analysis module 510 predefined alarms 342 print 281 print log file 377, 380 print reassembled PDU 117 print statistics 281 printing packets 107 privacy 489 profiles task pane 314 project file 228 properties dialog 100, 102 protected packets 487, 490 protocol details 287 protocol information 286 protocol segments 315 protocol statistics 276, 279, 284, 286
OmniPeek User Guide
protocol utilization statistics 286 protocols 71, 76, 159, 169 protocols in peer map 309, 312 protocols view 49 ProtoSpecs 280, 287, 312 PTK (Pairwise Transient Key) 103, 416 R radio frequency 111 RADIUS analysis module 510 reject matching 126, 127 relative time compare tab 205 packets view 469 PacketVisualizer tab 475 visual expert graphs tab 199 report templates 497 reprocess all packets 457 reprocess VoIP info 457 request/response threads 117 requests view 242 resolve names 100, 317 RFGrabber analysis module 511 roam time 488 roaming 421 roaming latency 422 RTP/RTCP packets 266 S save capture template 395 captured packets 105 file formats 105 filters 140 log 377, 380 name table 371 packet list (tab-delimited) 106 packets 144 reassembled PDU 117 statistics 280 save audio WAV file 262, 268
save payload 251 save web statistics 251 scale tab 338 scroll 377, 381 SCTP analysis module 511 select command 150 select graph items dialog 334 select related packets 146, 317 selection results dialog 136 send menu 460 sending edit send packet 405 select send adapter 402 SEQ/ACK 194 highlighting in PacketVisualizer 194 sequence graph 201 servers view 239 session 161 show offsets 113 signal statistics 279, 300 signal statistics options dialog 302 signal strength 486, 490 signal view 50 signaling tab 262 simple filter 128 size bar 468 size statistics 276, 290 SMB analysis module 511 snapshots of summary statistics 292, 293 sources of remote notifications 362 speed 442, 467 splitting files 52 SQL analysis module 512 SSID 277, 418 SSL decryption 103 STA 300 start capture 95 start page 8 start trigger 350, 352, 355 541
Index
start/stop capture 47 statistics capture window 279, 280 channel 277, 279, 295 color 280 detail 284, 287 display 280 history 277, 293 history statistics sampling interval 294 history statistics scale options 294 monitor 276 network 276, 288 node 276, 279, 281, 283 nodes 283 output 278 output view 35 printing 281 protocols 276, 279, 284, 286 report templates 497 saving 280 signal 279, 300 size 276, 290 statistics tab 339 summary 277, 279, 291 summary statistics 293 voice & video 261, 267, 271 WLAN 277, 279, 297 statistics output options 278 status bar 47 stop capture 95 stop trigger 350 storage tab 161, 165 SUM analysis module 512 summary call 65 summary snapshot 292 summary statistics 277, 279, 291 summary tab 206 summary view 49 switches, matrix 446 synchronizing files 155
T tabs, OmniEngine window 20, 21 TCP Trace 201, 476 TCP Trace graph 201 TCP window graph 202 TCP/IP port 14 Tcpdump 134 TDS traffic 512 Telnet analysis module 513 template 40 text log notification 361 threshold assistant 191 time range & filter 221 time ticks 193 time trigger events 351, 352, 353 timeline dashboard 60 timeline graph 61, 160 TimeLine network recorder 153 timeline tab 161, 164 timestamp 37, 38, 111 timing column 236 timing example 248, 249 timing tab 246 TKIP 486 tooltips 315, 318 top flows 71, 79 top nodes 71, 81 top protocols 71, 76, 159, 169 top protocols by IP address 61, 64 top talkers 159, 169 top talkers by IP address 61, 64 transmitter 467 trigger 51, 342, 350 bytes captured 353 event 351, 352, 353 filter trigger events 351 OmniEngine 352 start trigger 350 stop trigger 350
542
OmniPeek User Guide
time trigger events 351 triggers view 35 trust 486 trust table tab 23 trust, assigning trust levels to nodes 367 trusted, known and unknown nodes 367 U undocking views 47 unhiding packets 145, 146 units 409 updating OmniEngine settings 24 upload packets 155 username 15, 19 UTC 38 V value tab 289 vendor ID 207 view menu 457 view section 47 view type 61, 160, 170 visual expert 254 compare tab 205 defined 192 graphs tab 197, 200 PacketVisualizer tab 193 payload tab 196 summary tab 206 what if tab 203 VLAN 468 voice & video 254, 256, 257, 269 voice & video dashboard 64 voice & video statistics 261, 267, 271 voice & video view 254 voice & video visual expert 254, 261, 262
VoIP 39, 409 VoIP analysis module 513 VoIP options 271 volume, call 66 VoWLAN 421 W WAN analysis module 513 warnings view 409 WAV file 262, 268 web analysis 234 web analysis module 514 web statistics 251 web view 234, 250, 251 WEP 116, 414, 417 WEP ICV 487, 490 WEP key 487 what if tab 203 WildPackets API 5, 6, 41 wireless adapters 41 wireless channels 414, 416 wireless encryption 414, 416, 417 wireless signal 63 WLAN authentication 209 WLAN encryption 209 WLAN statistics 277, 279, 297 WLAN tab 277, 279, 297 WLAN view 50 workspace view 408 WPA 116, 414, 417, 418 WPA key set 103 WPA2 414, 417
543
Index
544

OmniPeek UserGuide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

OmniPeek UserGuide

Hochgeladen von

Copyright:

Verfügbare Formate

Copyright 2012, WildPackets, Inc. All rights reserved. Information in this document is subject to change without notice.

Product Support and Maintenance

About WildPackets, Inc.

Using OmniEngines with OmniPeek . . . . . . . . . . . . . . . . . . . . . 11

The Capture Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Viewing and Decoding Packets . . . . . . . . . . . . . . . . . . . . . . . . . 93

OmniPeek User Guide

Creating and Using Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Duplicating filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Saving and loading filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Post-capture Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Expert Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

OmniPeek User Guide

Multi-Segment Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Web Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Voice & Video Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Displaying and Reporting Statistics . . . . . . . . . . . . . . . . . . . . 275

OmniPeek User Guide

Using the Peer Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Creating Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Setting Alarms and Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Sending Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Using the Name Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

OmniPeek User Guide

OmniEngine trust table tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 OmniEngine name resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Applying Analysis Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Using AutoCapture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Sending Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Configuring Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Capturing Data for Wireless Analysis . . . . . . . . . . . . . . . . . . . 413

Configuring Analyzer Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

OmniPeek Remote Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Global Positioning System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Using Matrix Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Menus and Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . 453

OmniPeek User Guide

454 455 457 460 460 461 461 462 463

OmniPeek Installed Components . . . . . . . . . . . . . . . . . . 495

Analysis Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Expert Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

OmniPeek as a portable analyzer

OmniPeek with distributed OmniEngines

OmniPeek User Guide

OmniPeek product family

OmniPeek product family

Voice and video over IP analysis

OmniPeek User Guide

OmniPeek User Guide

For more information, please visit the http://www.wildpackets.com/products/analysis_cards/ 10GbE.

Main program window and Start Page

Choose Start > All Programs > WildPackets OmniPeek.

OmniPeek User Guide

Main program window and Start Page

Commonly used terms

10 Commonly used terms

CHAPTER 2 Using OmniEngines with OmniPeek

Chapter 2: Using OmniEngines with OmniPeek

OmniPeek User Guide

Displaying the OmniEngines window

The OmniEngines window appears.

The clickable buttons in the OmniEngines window are described here:

network. See Discovering OmniEngines on page 18.